Ubuntu-devel-discuss Digest, Vol 131, Issue 7

Thomas Gertin tgertin at vt.edu
Wed Oct 11 14:20:37 UTC 2017 

Thanks guys,

Here are my CVE identifiers:

CVE-2016-9843

CVE-2016-9842

CVE-2016-9841

CVE-2016-9840

I looked them up on the Ubuntu CVE tracker
(https://people.canonical.com/~ubuntu-security/cve/)

I am having trouble reading the results and determining if there exist
any fixes for these CVEs. In the package list all of the CVEs state
"needs-triage" for Ubuntu 14.04 LTS. Does this mean that none of these
CVEs have fixes?

Thanks,

Tom

On Wed, Oct 11, 2017 at 8:00 AM,
<ubuntu-devel-discuss-request at lists.ubuntu.com> wrote:
> Send Ubuntu-devel-discuss mailing list submissions to
>         ubuntu-devel-discuss at lists.ubuntu.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
> or, via email, send a message with subject or body 'help' to
>         ubuntu-devel-discuss-request at lists.ubuntu.com
>
> You can reach the person managing the list at
>         ubuntu-devel-discuss-owner at lists.ubuntu.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Ubuntu-devel-discuss digest..."
>
>
> Today's Topics:
>
>    1. need to fix 4 high vulnerability assessments about needing to
>       update zlib 1.2.8 (Thomas Gertin)
>    2. Re: need to fix 4 high vulnerability assessments about
>       needing to update zlib 1.2.8 (Robie Basak)
>    3. Re: need to fix 4 high vulnerability assessments about
>       needing to update zlib 1.2.8 (Thomas Ward)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 10 Oct 2017 16:54:40 -0400
> From: Thomas Gertin <tgertin at vt.edu>
> To: ubuntu-devel-discuss at lists.ubuntu.com
> Subject: need to fix 4 high vulnerability assessments about needing to
>         update zlib 1.2.8
> Message-ID:
>         <CAKVWn8CPpoN3CfAdJ_Ku-WyF1hNpptADPuCTdvpTEMEXH-d0Kw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> I am getting 4 high vulnerability assessments from my Common
> Vulnerabilities and Exposures-1.1 rules package. They all recommend
> updating my zlib package. I have updated my zlib package and it is
> up-to-date with version 1.2.8. However, it still produces the same
> vulnerability assessments, and I think I may need to update it
> further. I have Ubuntu 14.04.5 LTS. Can anybody help on how to do
> this?
>
> Thanks,
>
> Tom
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 10 Oct 2017 22:22:54 +0100
> From: Robie Basak <robie.basak at ubuntu.com>
> To: Thomas Gertin <tgertin at vt.edu>
> Cc: ubuntu-devel-discuss at lists.ubuntu.com
> Subject: Re: need to fix 4 high vulnerability assessments about
>         needing to update zlib 1.2.8
> Message-ID: <20171010212254.GF19514 at mal.justgohome.co.uk>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Thomas,
>
> On Tue, Oct 10, 2017 at 04:54:40PM -0400, Thomas Gertin wrote:
>> I am getting 4 high vulnerability assessments from my Common
>> Vulnerabilities and Exposures-1.1 rules package. They all recommend
>> updating my zlib package. I have updated my zlib package and it is
>> up-to-date with version 1.2.8. However, it still produces the same
>> vulnerability assessments, and I think I may need to update it
>> further. I have Ubuntu 14.04.5 LTS. Can anybody help on how to do
>> this?
>
> First step: you should have a list of CVE identifiers for the
> vulnerabilities that your tooling believes exist. Look these up in
> Ubuntu's CVE database to see what the security team believes is the
> current state of those.
>
> You can find the CVE database at
> https://people.canonical.com/~ubuntu-security/cve/
>
> Then, if you still have concerns, please post the specific CVEs that
> bother you and explain these concerns in the context of what our CVE
> database says our position is about them.
>
> If you are having difficulty in actually updating your system's
> packages, then this list is probably the wrong place for a discussion
> about that unless you have reason to think that there's a bug or other
> problem in Ubuntu in general, as opposed to just your system.
>
> Hope that helps,
>
> Robie
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 819 bytes
> Desc: not available
> URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20171010/8c483843/attachment-0001.sig>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 10 Oct 2017 18:31:31 -0400
> From: Thomas Ward <teward at ubuntu.com>
> To: ubuntu-devel-discuss at lists.ubuntu.com
> Subject: Re: need to fix 4 high vulnerability assessments about
>         needing to update zlib 1.2.8
> Message-ID: <15ecd4a1-a3c7-6a8c-39a5-37a8ec951c7e at ubuntu.com>
> Content-Type: text/plain; charset="utf-8"
>
> Consider that vulnerability scanners are 99% of the time **unaware** of
> how the Ubuntu Security Team does updates.
>
> Please compare what vulnerabilities are being reported against the
> corresponding CVEs on the Security Team CVE tracker
> (http://people.canonical.com/~ubuntu-security/cve/) and then depending
> on whether it's reported as fixed or not, adjust your rules for those
> detections.  (I do this in Nessus - with individual scans of my Ubuntu
> infrastructure adjusted on a per-host basis so that it doesn't trigger
> on certain events, because it's already resolved but the scanners are
> unable to actually recognize it).
>
>
> Thomas
> Ubuntu Server Team Member
> LP: ~teward
>
>
> On 10/10/2017 04:54 PM, Thomas Gertin wrote:
>> Hello,
>>
>> I am getting 4 high vulnerability assessments from my Common
>> Vulnerabilities and Exposures-1.1 rules package. They all recommend
>> updating my zlib package. I have updated my zlib package and it is
>> up-to-date with version 1.2.8. However, it still produces the same
>> vulnerability assessments, and I think I may need to update it
>> further. I have Ubuntu 14.04.5 LTS. Can anybody help on how to do
>> this?
>>
>> Thanks,
>>
>> Tom
>>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20171010/154fd714/attachment-0001.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
> ------------------------------
>
> End of Ubuntu-devel-discuss Digest, Vol 131, Issue 7
> ****************************************************

More information about the Ubuntu-devel-discuss mailing list