do-release-upgrade requires admin rights, and if you are on a LTS release, will stay on that and not automatically bump you up a version. If you use non-official sources it brings up a bunch of warning messages.
However, GUI variants on this are, to the end user, no different to UAC on Windows, where anyone not technically minded enough will just click the button or type in the password, ignore warnings and go off to make a cup of tea. So in practice, it's no more or less secure than Windows Update.
In short - I wouldn't trust the upgrade to be secure. In fact, if you are on a LTS and using Ubuntu for mission critical stuff, I'd avoid upgrading a major version until your release is no longer supported - upgrading does break stuff in subtle ways which takes time for you to fix.
First of all, the package that it refers to linux-lts-trusty
refers to the kernels images. They are named differently in the repositories. If you do apt-cache search linux-.* | grep 'trusty'
you will find packages like linux-image-virtual-lts-trusty
or linux-image-virtual-lts-wily
. In addition , if you open the launchpad link, git.kernel.org link and others from the CVE report you have there all point that this is Linux kernel vulnerability.
So, for linux-lts-trusty
, for which Launchpad latest version at the time of me writing this is 3.13.0-93.140-precise1 lists that only for Ubuntu 12.04 fix is needed, for other versions bug DNE(does not exist):
For linux-lts-wily
, which is version 4.2.0-42.49-14.04.1 , only trusty (14.04 ) is at risk.
So it really depends on the kernel version you are running. Of course, the best approach would be that your server is upgraded to the latest version, 16.04 LTS , and have newer kernel versions. You didn't provide us with your kernel version so we don't know if you are at risk for this or not.
It lists the package versions as well as the release versions. Which confuses me. Like it seems to imply that you can run the Trusty source on the Precise OS?
Technically you can run older kernel on newer OS version and vice versa, so yes, that is correct.
NOTES:
Wily Werewolf (15.10) has already reached End of Life and no longer supported. If you are running this version, I strongly suggest you upgrade.
linux-lts-saucy
kernel version appears that it doesn't have that vulnerability . That's version 3.11.0-26.45-precise1
. I would suggest any 3.11.x version, but this is still not ideal ; newer versions are preferable.
Tracking linux
in the tracker for this CVE for a given release will track the base kernel shipped in that release. Tracking linux-lts-*
in the tracker for this CVE will track an HWE kernel, available only in LTS editions which get HWE updates. Until all of them are "released" or "fixed", for all Source packages and all relevant distributions on the Tracker, you are not going to be able to 'avoid' the CVE.
Best Answer
Installing OpenSSH 7.4 on Ubuntu 14.04