惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
The Register - Security
The Register - Security
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The GitHub Blog
The GitHub Blog
博客园 - 司徒正美
罗磊的独立博客
U
Unit 42
S
SegmentFault 最新的问题
Y
Y Combinator Blog
博客园_首页
Hugging Face - Blog
Hugging Face - Blog
J
Java Code Geeks
Schneier on Security
Schneier on Security
Know Your Adversary
Know Your Adversary
C
Check Point Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Simon Willison's Weblog
Simon Willison's Weblog
V
Vulnerabilities – Threatpost
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
博客园 - 叶小钗
C
Cybersecurity and Infrastructure Security Agency CISA
Spread Privacy
Spread Privacy
L
LINUX DO - 热门话题
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
S
Securelist
A
Arctic Wolf
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Threatpost
Scott Helme
Scott Helme
博客园 - 聂微东
博客园 - 【当耐特】
T
Tenable Blog
I
Intezer
D
DataBreaches.Net
B
Blog RSS Feed
Security Latest
Security Latest
C
Cisco Blogs
T
Tor Project blog
N
Netflix TechBlog - Medium

Ubuntu blog

MAAS installation: bare metal provisioning is easier than ever | Ubuntu Januscape vulnerability CVE-2026-53359 mitigations available | Ubuntu Managing Ubuntu on bare metal at scale Ubuntu Server: a platform made for enterprise scale | Ubuntu Building an open source chain of trust: new research uncovers key blockers and ways forward | Ubuntu Beyond safety and security: Why automotive open source demands dependability  | Ubuntu DirtyClone Linux kernel local privilege escalation vulnerability fixes available | Ubuntu pedit COW kernel local privilege escalation vulnerability mitigations | Ubuntu Canonical becomes Gold Sponsor of Trifecta Tech Foundation | Ubuntu Challenges designers face in open source (and how to fix them) | Ubuntu Hunting a 16-year-old SQLite bug with TLA+: is dqlite affected? | Ubuntu Anbox Cloud on C4A metal: Android, at scale, without friction | Ubuntu Canonical announces live kernel patching for Arm64 | Ubuntu How to use RISC-V custom instructions with Ubuntu | Ubuntu Ubuntu Summit 26.04: connected by open source | Ubuntu So you need to add microcontrollers to your fleet: now what? | Ubuntu Validating real-world skills through Canonical Academy | Ubuntu Virtualized Android comes to Anbox Cloud | Ubuntu Template: Streamlining open source design contributions | Ubuntu A look into Ubuntu Core 26: Building a local AI inference appliance in a virtual machine | Ubuntu A decade of Ubuntu on IBM Z and IBM LinuxONE | Ubuntu AI at the edge: simplifying infrastructure with Cisco and Canonical | Ubuntu The next era of telco clouds: get open infrastructure choice with Sylva and Canonical Kubernetes | Ubuntu What is RDMA over Converged Ethernet (RoCE)? | Ubuntu Beyond tokens per watt – using Ubuntu 26.04 LTS for AI | Ubuntu A look into Ubuntu Core 26: Deploying AI models on Renesas RZ/V series for production | Ubuntu RISC-V profiles – why is RVA23 significant? | Ubuntu AI with AMD ROCm on Ubuntu: your questions answered | Ubuntu Ubuntu and Ubuntu Pro on Azure Cobalt 200 VMs | Ubuntu What is InfiniBand? | Ubuntu How Canonical Support solves hard Linux performance bugs  – even in 12-year old code | Ubuntu Securing AI agent workflows on Ubuntu with the new NVIDIA OpenShell snap | Ubuntu Canonical announces optimized Ubuntu images for TPU virtual machines by Google Cloud | Ubuntu VMware hypervisor deployment using MAAS | Ubuntu Migrating from Apache Spark 3 to Spark 4 | Ubuntu Introducing Workshop: launch sandboxed development environments on Ubuntu with a single command | Ubuntu Run agentic workloads on Arm and Ubuntu | Ubuntu Decoding design: How design and engineering thrive together in open source | Ubuntu Developing web apps with local LLM inference | Ubuntu PinTheft Linux kernel vulnerability mitigation | Ubuntu Canonical announces fully Managed Kubeflow AI operations platform on the Microsoft Azure Marketplace | Ubuntu A look into Ubuntu Core 26: Cloud-powered edge computing with AWS IoT Greengrass and Azure IoT Edge | Ubuntu CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations | Ubuntu Finding the blind spot: How Canonical hunts logic flaws with AI | Ubuntu Fragnesia Linux kernel local privilege escalation vulnerability mitigations | Ubuntu Rethinking BYOD security: protecting data without trusting devices | Ubuntu Dirty Frag Linux kernel local privilege escalation vulnerability mitigations | Ubuntu Three weeks to go: A sneak peek of the Ubuntu Summit 26.04 experience | Ubuntu How to use Ubuntu on Windows | Ubuntu Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability | Ubuntu Run NVIDIA Nemotron 3 Nano Omni locally in a single command | Ubuntu Why Web Engineering is great | Ubuntu Ubuntu 16.04 LTS has reached the end of standard Expanded Security Maintenance with Ubuntu Pro. Here are your options. | Ubuntu Understanding disaggregated GenAI model serving with llm-d | Ubuntu From Jammy to Resolute: how Ubuntu’s toolchains have evolved | Ubuntu Hybrid search and reranking: a deeper look at RAG | Ubuntu Canonical expands Ubuntu support to next-generation MediaTek Genio 520 and 720 platforms | Ubuntu Intentional leadership at Canonical | Ubuntu Ubuntu Pro comes to Nutanix bare-metal Kubernetes | Ubuntu RISC-V 101 – what is it and what does it mean for Canonical? | Ubuntu Ubuntu Summit 26.04 is coming: Save the date and share your story! | Ubuntu How to manage Ubuntu fleets using on-premises Active Directory and ADSys | Ubuntu Simplify bare metal operations for sovereign clouds | Ubuntu How to Harden Ubuntu SSH: From static keys to cloud identity | Ubuntu The “scanner report has to be green” trap | Ubuntu Modern Linux identity management: from local auth to the cloud with Ubuntu | Ubuntu Canonical welcomes NVIDIA’s donation of the GPU DRA driver to CNCF | Ubuntu Hot code burns: the supply chain case for letting your containers cool before you ship | Ubuntu
Beyond Mythos: responding to a new threat landscape | Ubuntu
Lech Sandeck · 2026-06-16 · via Ubuntu blog

Canonical’s security philosophy has always been built on the premise that vulnerabilities exist and will be discovered. Our response relies on defense-in-depth architecture, rapid patch deployment, and strict adherence to Coordinated Vulnerability Disclosure (CVD).

AI changes vulnerability discovery volume and speed. We have a robust vulnerability management process that is backed by rigorous compliance certifications. These processes have demonstrated robustness in stringent ecosystems and we are adapting them with more exposure mapping, better customer guidance, and clearer remediation paths. This is where AI makes our customer service and internal responses more efficient.

To address real-world security we contain the blast radius of newly weaponized legacy bugs using our historically proven confinement tools, enforcing strict kernel-level boundaries with AppArmor and native container isolation (LXD). Building on this securely-designed foundation, we continue to modernize and harden Ubuntu by championing memory-safe languages like Rust.

We align our multi-tiered risk model with upcoming compliance requirements like the EU Cyber Resilience Act (CRA) focusing on actual threat impact rather than blindly chasing raw CVSS scores. Because AI will continuously unearth decades-old dormant flaws, we secure this foundation and your long-term compliance with up to 15 years of security maintenance through Ubuntu Pro.

Additionally, through the Ubuntu Security Research Alliance Program we’re partnering directly with leading security scanning providers in order to improve how accurately our data is presented in scan results, and to ensure that every piece of open source software distributed by Canonical is properly assessed.

1. What is Canonical’s  current awareness of the Mythos / Glasswing CVE disclosure? 

Canonical’s Security Team is transforming its processes and infrastructure to adapt to the scale and speed of new frontier models, such as Mythos, GPT-5.5, and open-weight models. This ensures our incident response teams are fully prepared to triage and remediate the anticipated influx of AI-generated vulnerability reports.

2. Has Canonical conducted any internal AI-assisted vulnerability analysis across its own product estate? 

Yes, we are actively integrating agentic AI frameworks to conduct independent vulnerability analysis across our estate. This evolution builds directly on our strict, foundational quality management practices, such as the extensive package auditing required by our Main Inclusion Review process.

3. Do you have a list of products that you would consider most exposed to the latest frontier-model vulnerability categories? 

Because the foundational Linux stack is historically written in non-memory-safe C/C++, exposure to these classes of vulnerabilities is systemic across the entire open source ecosystem. Rather than maintaining a flat, theoretical “exposed list,” Canonical mitigates these risks structurally. First, we enforce mandatory compiler-level protections that go hand in hand with Linux kernel features for application hardening across the entire Ubuntu archive to reduce exploitability.

Furthermore, we evaluate exposure and prioritize our engineering response through a multi-layered risk model, ensuring that a massive influx of AI-discovered CVEs does not lead to a panicked, one-size-fits-all response. Instead, we right-size our response based on the component at hand:

  • Critical Foundation: Core components that could have significant impact on a system. This includes the kernel, glibc, OpenSSL, systemd, sudo, PAM, and core container runtimes.
  • Infrastructure & Orchestration: Canonical’s management, isolation, and deployment layers. This includes snapd, AppArmor, cloud-init, LXD, MAAS, Juju, and MicroK8s. These tools govern how the infrastructure is secured and scaled.
  • Application Ecosystem: The thousands of open-source applications and dependencies residing in the Universe repository, which are covered under Ubuntu Pro. While an AI-discovered CVE here might impact a specific business service, the threat might be contained by the structural protections (like AppArmor) established by the tiers above it.

and

  • Custom Workloads: Customer-specific applications and proprietary code operating outside of Canonical’s scope.

4. What is Canonical’s typical turnaround time for releasing CVE fixes, and how do you prioritize which vulnerabilities get patched first?

While we do not treat every vulnerability with a uniform SLA, our focus is on rapid remediation for high-risk threats. We aim to prepare, test, and release the most vital security updates within 24 hours on average.

In the event of a true zero-day vulnerability or evidence of active exploitation in the wild, we push expedited, emergency fixes to our users as fast as possible.

Because we understand that not all CVEs carry the same real-world risk, we do not prioritize fixes based strictly on raw CVSS scores. Instead, we triage vulnerabilities based on their specific impact on Ubuntu users. Fixes are expedited for vulnerabilities that present the highest actual risk and affect the largest number of installations, ensuring that your most critical systems receive protection first.

5. Where a software patch cannot be deployed within the required window, what compensating controls or virtual patching capabilities does Canonical have available? 

Ubuntu’s default implementation of AppArmor profiles and snap confinement act as strict structural compensating controls, isolating vulnerable services and protecting against privilege escalation or arbitrary file access. Kernel Livepatch applies permanent kernel vulnerability fixes in-memory without requiring a system reboot.

Furthermore, in instances where a formal fix is not yet available, we aim to provide clear, actionable mitigation strategies – such as specific system workarounds or configuration changes – directly on our CVE trackers (e.g., our published mitigations for CVE-2022-23960) to help you secure your environment in the interim. 

Finally, we frequently publish detailed blog posts breaking down the vulnerabilities, including impact assessments, real-world scenarios, and potential mitigations, to help our users fully understand the risk and secure their environments.

6. What is Canonical’s responsible disclosure process for Glasswing-identified vulnerabilities in your products? 

Canonical does not maintain a separate, specialized vulnerability management process specifically for Project Glasswing. Consequently, we do not provide exclusive early notifications, out-of-band updates, or bypass standard community embargoes for individual partners prior to the Coordinated Release Date (CRD). We adhere to the best-practices recognized by the security community in Coordinated Vulnerability Disclosure (CVD) and we handle embargoes according to our Disclosure Policy.

Canonical’s Security Team ensures that patches are actively developed, thoroughly tested, and pre-staged within the standard embargo window. These fixes are released globally and simultaneously with the public CVE disclosure, ensuring our customers and partners can confidently deploy updates at “day zero.”

7. How is Canonical evolving its development and architectural practices to defend against the class of vulnerabilities that Mythos-like projects uncover?

Canonical is actively modernizing its products to address decades-old paradigms. We are championing the integration of memory-safe languages into the core OS by enabling Rust support in our kernels and providing the complete toolchain for developers. We encourage the community to build in Rust, and our own engineering efforts are focused on rewriting critical user-space components. 

For legacy C/C++ code that cannot be immediately rewritten, we rely on defense-in-depth. Assuming legacy code will inevitably have flaws, we engineer the Ubuntu environment to prevent those logic flaws from becoming viable, chained exploits. 

To achieve this, Ubuntu natively supports robust isolation technologies like snaps and LXD. When users wrap their legacy applications in these secure sandboxed environments, strict kernel-level boundaries – such as cgroups, namespaces, and AppArmor profiles – are enforced, ensuring that even if a legacy application is compromised, the blast radius is tightly contained and the underlying host remains protected.

8. Does the advent of Glasswing mean previously secure Ubuntu systems are now suddenly vulnerable?

The threat landscape timelines are compressing. AI tools are unearthing “N-days” and legacy logic errors that survived conventional human review.

However, a vulnerability does not automatically equal a system compromise. Canonical’s fundamental security architecture, leveraging AppArmor confinement, minimal yet comprehensive images, strict namespace isolation, and proactive memory protections, was specifically designed on the assumption that zero-days and undiscovered flaws will always exist. This defense-in-depth approach is built to tightly contain the “blast radius” when a dormant bug is suddenly weaponized, preventing an attacker from escalating a single flaw into full system control.

Because AI will inevitably accelerate the volume of these historical bugs coming to light, the speed and duration of your patching lifecycle is more critical than ever. Ubuntu Pro provides up to 15 years of security maintenance and support. This ensures that when a decades-old vulnerability is suddenly surfaced with a working exploit, your infrastructure receives rapid, tested patches for years to come, without forcing you into disruptive, premature upgrades.

9. Is Canonical a direct participant in Anthropic’s Project Glasswing or actively using Claude Mythos?

Canonical is currently not a direct participant in Project Glasswing. We engage with all major security initiatives through our established Coordinated Vulnerability Disclosure (CVD) processes. We do not bypass these protocols or grant exclusive early access to any single AI vendor or participant. Our priority is taking security and vulnerability disclosures seriously, independent of the reporting source.

10. What happens if Canonical receives a severe vulnerability report that comes from an AI or model-based discovery tool?

We evaluate the technical merit of the finding, regardless of the entity or method that found it. If an AI tool discovers a severe vulnerability, Canonical conducts a risk assessment based on the specific environmental context of the open source project, and the actual exploitability of the bug. 

11. How should researchers or partners report vulnerabilities they discover in Ubuntu using AI tools?

Our process is governed by the official Ubuntu Security Disclosure Policy. Canonical Security Team participate in responsible disclosure and collaborate closely with the wider open-source community.

When a vulnerability is identified (whether internally, by a partner, or through a researcher, using AI or not), our protocol is as follows:

  • Initial Response: We prioritize rapid assessment and prompt initial response to security reporters. 
  • CVE Assignment: Canonical acts as a CVE Numbering Authority (CNA) and can directly assign CVE numbers.
  • Embargo Adherence: Canonical’s Security Team manages embargo vulnerabilities in coordination with the broader open source community. For issues that are not yet publicly known, we strictly abide by agreed-upon timelines and information-handling. This ensures patches can be safely developed and released simultaneously with the public announcement (“day zero”) without tipping off malicious actors.
  • Emergency Releases: We reserve the right to release fixes immediately if there is evidence of an embargo being broken that leads to a significant risk to our users.
  • Transparency: All Ubuntu vulnerabilities fixed by Canonical’s Security Team are publicly documented and credited via Ubuntu Security Notices (USNs), ensuring our customers have a clear, auditable trail of our security interventions.
  • Accuracy: Information on all vulnerabilities affecting Ubuntu is distributed through industry-standard machine-readable data feeds: OSV, VEX, and OVAL.