apt-news security notification messages may be too vague for users who are not extremely familiar with internal Ubuntu processes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Recently APT has begun showing the following message to Ubuntu users:
# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.
While the message itself is useful, the way it is worded has several problems:
1. It includes terms like 'USN' and 'CVE', which may not be familiar terms to all users.
2. It doesn't include any links to the aforementioned USNs and CVEs. While somebody may use a search engine to find them, it would be better to provide links explicitly, both for convenience, and so that users can be sure that there's an official page that contains all the information they need to learn more about the issue.
3. Perhaps the most important point: **it doesn't tell the user how to check if their system is affected or not**. In fact, this message is shown to everyone, including people who have an up-to-date system, causing confusion, and leading people to ignore this messages in the future because they're getting used to see a message that requires no action.
4. It does not tell users how patch their systems. In my opinion, "ensure you have updated the package..." makes sense only to people who know well enough how APT works, what pockets are, and how Ubuntu security updates are delivered.
5. It does not include the names of the binary packages that need to be upgraded, so the user might need some work to figure out what "the package" is. It's not obvious to everyone that libssl3 is an affected package that should be upgraded (in this specific case).
I propose that all future security warning messages like this one follow a better template that can be more informative to all command-line users, who are not necessarily Ubuntu experts.
[Filing this bug against ubuntu-
Status changed to 'Confirmed' because the bug affects multiple users.