It’s that time of the year again: With a new release of Ubuntu Linux on the horizon, we’re continuing our tradition of diving deep into what’s new in security. This release is probably Ubuntu's smallest in recent memory in terms of new security features, but that doesn’t mean it’s not worth upgrading.
Linux Kernel 6.3
As always, each Linux kernel release includes thousands of improvements from performance enhancements to new drivers. This release of Ubuntu upgrades the kernel from 6.2 to 6.3 with the following new security features:
- Disable DES-based encryption for NFS connections by default with the ability to also disable SHA-1.
- Hardware acceleration for AES cipher in GCM mode on ARM, which increases performance by ~75% in testing.
- Hardware acceleration for the ARIA cipher on Intel AVX2 and AVX-512 capable processors.
- Support for the AMD Zen 4’s Automatic IBRS (Indirect Branch Restricted Speculation). This provides mitigation for Spectre v2 without the performance impact of software-only mitigations. See Phoronix.com performance testing for in-depth benchmarking.
systemd has been updated from 252 to 253, which includes several small but important security updates:
- New unit configuration options, `ReloadLimitIntervalSec` and `ReloadLimitBurst`, let you control how rapidly services attempt to restart. These are great configuration options to prevent a system denial of service attacks through service crashing.
- The `systemd-cryptenroll` command includes improved support for unlocking using FIDO2 tokens.
- A new tool, ukify, for building Unified Kernel Images, can be used to pull full disk encryption (FDE) keys from the TPM2 store when dual booting Linux with encrypted Windows drives.
It may feel like apt functionality is set in stone, but this release of Ubuntu upgrades apt from 2.6.0 to 2.7.3 with two nice security additions:
- Packages with the same version are now validated additionally using SHA-256 hashes.
- Failures running apt on FIPS-enabled systems have been resolved.
NGINX has been updated from 1.22 to 1.24, which includes a number of fixes from the unstable 1.23 branch. New security features in 1.24 include enabling TLS 1.3 by default and automatic rotation of TLS session ticket keys, which eliminates the need for the manual rotation workarounds that some users employed.
Redis has been updated from 7.0.8 to 7.0.12. This minor update includes improved randomness when using RANDOMKEY, SRANDMEMBER, SPOP, ZRANDMEMBER, and HRANDFIELD. It also fixes a bug where pub-sub subscribers were not disconnected when the allchannels permission was removed.
RabbitMQ has received a significant update going from version 3.10.8 to 3.12.1. This release includes a number of great performance and scalability improvements but also some rather significant security improvements:
- The RabbitMQ management UI uses a new OAuth library that lets it authenticate against any OpenID Connect certified server. It replaces the potentially insecure use of implicit grant type with the more secure authorized code grant type.
- The OAuth plugin now supports Rich Authorization Requests.
- You can now list connections by users and disconnect connections per user within the management UI.
- You can now pre-configure users and their permissions for newly created virtual hosts for environments where users create their own virtual hosts.
PHP has been updated from 8.1 to 8.2 with a few great new security improvements:
- A new Random extension, making it foolproof to randomly generate seeds.
- Entire classes of code can now be set to be read only, which prevents other potentially malicious code from modifying properties.
Time to Upgrade
Overall we think this release is well worth the effort to upgrade for desktop users currently running Ubuntu 23.04. If you’re still on Ubuntu 22.04, we highly recommend the upgrade as there have been significant security improvements in Ubuntu since that release. If you’re interested in everything new, be sure to check out our previous Ubuntu 23.04 Security and Ubuntu 22.10 Security blogs.