AHXproject

How to avoid package End of Life through backporting 

In July 2025, git received CVE-2025-48384 , a high vulnerability allowing arbitrary code execution when cloning repositories. The US Cybersecurity and Infrastructure Security Agency added it to their Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild.

If your Ubuntu system had already passed the End of Standard Support when this vulnerability was disclosed, you faced a choice: subscribe to Ubuntu Pro for the security patch, or continue running git with a known remote code execution vulnerability on your developer workstations and CI/CD infrastructure. 

This scenario highlights a critical decision point: how do you maintain security when packages lose standard support? This blog explores your options and how Canonical's backporting strategy helps you stay protected. 

The impact of End of Standard Support

Support lifecycle directly affects your system security. Although Canonical maintains LTS releases for extended periods, there inevitably comes a point where decisions are required to avoid running unsecured packages.

When Ubuntu 20.04 LTS reached End of Standard Support in April 2025, thousands of packages in the main repository lost free security maintenance. A typical enterprise server runs around 800 packages, which almost guarantees that some packages will no longer be covered by free security updates.

Understanding End of Standard Support vs End of Life

Here's what many users misunderstand: End of Standard Support and End of Life are different concepts for Canonical built and supported packages.

Canonical provides two types of security coverage. The first is standard security maintenance, which lasts 5 years and provides free security updates for packages in the main repository only. Universe repository packages never receive free security updates, even during this period.

After 5 years, main repository packages stop receiving free updates but remain functional. Security patches continue to be developed and released for another 10 years through Ubuntu Pro subscriptions, the second type of coverage, covering both main and universe repositories.

End of Life occurs at the 15-year mark, when the Ubuntu Pro period with legacy add-on concludes. Only then do security patches stop being developed entirely.



If you're running Ubuntu and want to check your current support status, you can easily do this via the terminal:

pro security-status

This shows which packages have active security coverage and which represent potential vulnerability exposure in your infrastructure.

What are the actual risks?

The dependency problem significantly compounds the risk. When package A depends on package B, which depends on package C, an unsupported package anywhere in that chain creates vulnerability across your entire stack. Research from Endor Labs  analyzing software packages found that 95 percent of all vulnerabilities are found in transitive dependencies, meaning most security risk in your software supply chain is indirect.

Systems without security updates remain vulnerable to every threat disclosed after support ends. The git vulnerability demonstrates how attackers exploit publicly documented weaknesses. Malicious repositories become attack vectors for remote code execution on developer workstations and CI/CD systems.

Beyond immediate security exposure, organizations face tangible compliance and operational consequences. The EU Cyber Resilience Act, which applies from December 2027, requires manufacturers to provide timely security updates throughout a product's lifecycle. Frameworks like FedRAMP, FISMA, and HIPAA require FIPS-140 certified cryptographic modules, while PCI-DSS mandates current security patches and vendor support. Running unsupported packages puts organizations at risk of failing these regulatory requirements. Organizations also face compatibility issues when newer packages expect updated dependencies and limited support when troubleshooting production incidents.

Your options when standard support ends

• Upgrade to a newer LTS release

Upgrading moves your infrastructure to an LTS version within its 5-year standard support window. This restores free security updates for packages in the main repository and eliminates the support gap for those packages.

This approach works well when you have resources to test deployment thoroughly, your applications are compatible with the newer release, and you have time for comprehensive validation. The challenge is that major upgrades carry real costs and risks. Version jumps can break compatibility, require application changes, or introduce dependencies that need extensive testing before production deployment.

• Enable Ubuntu Pro for expanded security maintenance

Enabling Ubuntu Pro on your infrastructure extends security coverage from 5 years to 15 years for packages in both main and universe repositories. This allows you to continue running your current release while receiving backported security patches. Canonical's security team actively scans, triages, and backports critical, high, and select medium CVEs to all maintained LTS releases.

The backporting strategy means Canonical applies security fixes to your current package versions rather than forcing major upgrades. You receive vulnerability patches without the breaking changes that come with major version jumps or the re-certification requirements that disrupt tightly controlled compliance environments.

Ubuntu Pro covers thousands of packages across main and universe. For organizations requiring the full 15-year support window, the legacy add-on becomes available after 10 years of coverage at 50% above the standard Ubuntu Pro subscription cost. We recommend this approach for organizations seeking cost-effective security and compliance. Ubuntu Pro offloads much of the vulnerability management effort while providing comprehensive coverage across open-source packages with simple, predictable pricing.

Read about Canonical's technical approach to security backporting and long term maintenance in our documentation at ubuntu.com/security/esm .

• Run without security updates

Though not recommended, you can consciously choose to run packages without active support. This might be considered when the package handles genuinely non-critical functionality, the system operates in complete isolation from network exposure, or strong compensating controls effectively mitigate the vulnerability risk.

Be explicit about this choice and thoroughly document it. Maintain a register of unsupported packages with clear business justification, documented risk assessment, and regular review schedules. This will help you audit your system much faster in the future. What represents acceptable risk today may not remain acceptable as the threat landscape evolves and new attack patterns emerge.

Running without support through ignorance or inertia differs fundamentally from making a conscious risk acceptance decision with appropriate governance and executive approval.

How expanded security maintenance works

Canonical's security team monitors for vulnerabilities daily and evaluates their impact on supported packages. When vulnerabilities affect packages under Ubuntu Pro coverage, engineers apply available upstream patches or backport security fixes from newer versions to your maintained release. Updates undergo rigorous testing to verify stability and compatibility before becoming available through standard package management.

For embargoed vulnerabilities like the recent git security issues, Canonical prepares fixes in advance and releases them precisely when the embargo lifts, ensuring you're protected the moment the vulnerability becomes public knowledge.

This approach means you don't face a forced choice between security and operational stability. You maintain your current, tested environment while receiving necessary security patches that preserve compatibility.

How to choose the right approach after End of Standard support

LTS release support timelines are predictable. Ubuntu 20.04 released in April 2020 and reached End of Standard Support in April 2025, exactly 5 years later. Begin planning at least 6 months before standard support concludes. This gives you time to audit affected packages, test upgrade paths, secure budget, and coordinate infrastructure changes. Strategic planning prevents emergency decisions under pressure.

Your decision depends on risk tolerance, compliance requirements, engineering capacity, and budget. Most enterprises use a combination approach. Overall, our suggestions are as follows:

• You should choose to upgrade your LTS when you can test thoroughly, your stack supports the next LTS, and staying current aligns with your strategy.
• Choose expanded security maintenance when you need stability, lack upgrade resources, or require patches without version mandates.
• You should only accept running without updates if you can reasonably maintain minimal risk exposure, can implement strong compensating controls, and have explicit documented approval.
• The worst outcome is no decision at all, allowing support coverage to lapse through inaction.

What should you do today?

Run pro security-status to assess your current coverage. Identify which packages will lose standard support and when.

For Ubuntu 20.04 or earlier, standard support has ended. Those systems need decisions now.

Explore Ubuntu Pro options at ubuntu.com/pro  or contact our team  to discuss your requirements.

Read more:

• Understand Ubuntu release cycle
• See which packages Ubuntu Pro supports
• Run Ubuntu in high-security environments

When a Git vulnerability hit systems past Ubuntu package end of life, teams had to reassess security options. Learn how to stay protected beyond standard support.


Categories: backporting, EOL
Source: https://ubuntu.com//blog/how-to-avoid-package-end-of-life-through-backporting Jan 23, 2026, 11:15 AM

Free Up Disk Space by Removing Old Snap Versions

Running out of disk space on Ubuntu? Before you start uninstalling applications or clearing caches, you might want to check your snap revisions. I've been getting low disk space warnings on a 40GB Ubuntu partition. The usual tips to free space on Ubuntu weren't enough, so I opened Disk Usage Analyser – or run sudo du -sh /var/lib/snapd – and found nearly 8GB was eaten up by old snap versions. Not active versions of Snaps I have installed; backups of every snap I have installed. There, idle, in the snapd folder consuming several gigabytes "just in case" I need to [...]

You're reading Free Up Disk Space by Removing Old Snap Versions , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: How To, Snaps
Source: https://www.omgubuntu.co.uk/2026/01/remove-snap-revisions-ubuntu-disk-space Jan 29, 2026, 05:11 PM

Transmission 4.1.0 Adds Sequential Downloading, IPv6 Support

Transmission 4.1 adds support for IPv6 and dual-stack UDP trackers, sequential downloading, and improved µTP (Micro Transport Protocol) performance.

You're reading Transmission 4.1.0 Adds Sequential Downloading, IPv6 Support , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: News, App Updates, transmission
Source: https://www.omgubuntu.co.uk/2026/01/transmission-4-1-0-released Jan 28, 2026, 07:03 PM

COSMIC Desktop 'Frosted Glass' UI Effect Previewed

Frosted blur effect is coming to System76's COSMIC desktop, giving apps and desktop elements a modern feel. These images shared by the team show how it looks.

You're reading COSMIC Desktop 'Frosted Glass' UI Effect Previewed , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: News, Cosmic DE, Eye Candy
Source: https://www.omgubuntu.co.uk/2026/01/cosmic-desktop-frosted-glass-effect Jan 28, 2026, 03:39 AM

New AppImage Offers an Easier Way to Run Affinity on Ubuntu

No more fighting with Wine dependencies: an unofficial Affinity v3 AppImage runs Canva's creative suite on Ubuntu via a simple, self-contained executable.

You're reading New AppImage Offers an Easier Way to Run Affinity on Ubuntu , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: News, affinity, Graphic & Design Apps, Wine
Source: https://www.omgubuntu.co.uk/2026/01/run-affinity-linux-ubuntu-appimage Jan 27, 2026, 01:23 AM

Mecha Comet – Modular Linux Handheld with Snap-On Modules

Meet the Mecha Comet: a modular, open-source Linux handheld built for tinkerers. Features snap-on modules, Linux OS and AMOLED display – now on Kickstarter!

You're reading Mecha Comet – Modular Linux Handheld with Snap-On Modules , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: Hardware, News, crowdfunding, Mecha Comet
Source: https://www.omgubuntu.co.uk/2026/01/mecha-comet-modular-linux-handheld Jan 26, 2026, 06:06 PM

Turn Scripts into Quick Settings Toggles with this GNOME Extension

Add custom command and script toggles to GNOME Shell's Quick Settings menu. Create up to 6 buttons to trigger any action you want, easily and in reach!

You're reading Turn Scripts into Quick Settings Toggles with this GNOME Extension , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: News, GNOME Extensions
Source: https://www.omgubuntu.co.uk/2026/01/custom-command-toggle-gnome-extension Jan 26, 2026, 12:56 AM

Funding, AI and Politics Take Center Stage at FOSDEM 2026

FOSDEM, Europe's biggest open-source event returns to Brussels with keynotes on FOSS funding, AI security and digital sovereignty from January 31-February 1.

You're reading Funding, AI and Politics Take Center Stage at FOSDEM 2026 , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: Event, News, AI/ML, EU, FOSDEM
Source: https://www.omgubuntu.co.uk/2026/01/fosdem-2026-open-source-funding-ai-talks Jan 25, 2026, 07:42 PM

Tonearm, New Unofficial TIDAL Client for Linux, Hits Beta

A new app for streaming music from TIDAL on Linux has entered beta. Tonearm, which is unofficially, is built in GTK4/libadwaita and uses official TIDAL APIs.

You're reading Tonearm, New Unofficial TIDAL Client for Linux, Hits Beta , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: News, GNOME Music, Music Players, tidal
Source: https://www.omgubuntu.co.uk/2026/01/tonearm-tidal-client-for-linux-beta Jan 23, 2026, 07:48 PM

Firefox's Tab Notes Feature Feels Genuinely Useful (For Me, At Least)

Want to add a note to a tab in Firefox? Well, soon you can. Mozilla developers are working on a new Tab Notes feature, and it's available to test early - here's how.

You're reading Firefox's Tab Notes Feature Feels Genuinely Useful (For Me, At Least) , a blog post from OMG! Ubuntu . Do not reproduce elsewhere without permission.


Categories: News, Firefox
Source: https://www.omgubuntu.co.uk/2026/01/firefox-new-tab-notes-feature Jan 23, 2026, 04:21 AM