Security: Apply Ubuntu Pro ESM patches and plan 22.04 migration

[rdhyee]

Current state (2026-02-19)

Production server (prod7_py3) is running Ubuntu 20.04.6 LTS, which reached end of standard support in April 2025.

Login banner shows:

• ✅ 6 standard updates — applied 2026-02-19 via sudo apt upgrade
• ❌ 117 additional security updates available via ESM Infra (requires Ubuntu Pro)
• ⚠️ Ubuntu 22.04 LTS upgrade available

Action items

Short term: Ubuntu Pro subscription

Ubuntu Pro provides Extended Security Maintenance (ESM) for Ubuntu 20.04 through 2030, unlocking the 117 currently unpatched CVEs.

Options:

• Free personal tier: ubuntu.com/pro → Ubuntu One account → free for up to 5 machines. Run sudo pro attach <token> on the server.
• Existing org subscription: Check if EbookFoundation already has Ubuntu Pro via AWS Marketplace or Canonical.

Steps once token is available:

sudo pro attach YOUR_TOKEN
sudo pro enable esm-infra
sudo apt update && sudo apt upgrade

Long term: Migrate to Ubuntu 22.04 LTS

Ubuntu 22.04 is the right long-term target (standard support through April 2027, ESM through 2032). Ubuntu 20.04 → 22.04 is a supported in-place upgrade path via do-release-upgrade, but for a production web server a fresh instance approach is safer:

1. Provision new EC2 instance from Ubuntu 22.04 AMI
2. Run Ansible playbook against new instance
3. Test with test.unglue.it pattern first
4. Blue/green cutover via Route 53

This should be coordinated with the Django upgrade work (#1081) — upgrading both OS and Django together avoids doing two major migrations separately.

Related

• #1081 — Django migration plan (1.11 → 5.1)
• Ephemeral Test Environment Infrastructure #15 — Ephemeral test environment infrastructure

[eshellman]

would prefer migration to ubuntu 22