A nice writeup is here: https://www.cloudfoundry.org/blog/usn-6119-1-openssl-vulnerabilities/

I wrote before about how the Canonical TOS for Ubuntu Pro was odd. It was disappointing to see the following ad

Get more security updates through Ubuntu Pro with 'esm-apps' enabled: 
 gsasl-common libgsasl7 
Learn more about Ubuntu Pro at https://ubuntu.com/pro 
# 
# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1: 
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers. 
# Ensure you have updated the package to its latest version.

 

Or restated. "We aren't providing a patch for a known remote exploit affecting our product unless ..."

For those recalling the SolarWinds hack that wreaked havok in the public sector, this reminds me of how Microsoft had stated they weren't enabling security features for their systems unless one paid even MORE for their pro systems. A "security upsell" that upset many. In the face of massive criticism, Microsoft relented and started allowing security features like logging. 

To someone who's "paid" Canonical over the years in countless ways including: contributed documentation, evangelical marketing, convincing enterprise customers to switch to Ubuntu from competing products, my own bug reports and even published/accepted patches to Canonical products, etc. etc. ... it feels like the trust model that I had in Canonical as an effective purveyor of opensource products has massively decreased. 

As I look back - it's crazy how many of the "howto's" I wrote were Ubuntu specific. I think it's time I moved on to look at a different primary OS.