Is there an official statement about the Ubuntu package version identifier

Rafael David Tinoco rafaeldtinoco at
Fri Jun 7 17:35:02 UTC 2019

Hello Leroy

On 06/06/2019 16:03, Leroy Tennison wrote:
> The reason I ask is I have a commercial vulnerability scanner reporting
> as "fail" a test (for example, CVE-2016-5387)of our
> systems where states
> that a fix has been released and our current version appears to be later
> than that release.  I need to dispute that finding for compliance
> reasons but would like an official statement to show to the vendor
> concerning how Ubuntu handles these things.  I suspect the vendor is
> only checking the upstream major and minor version number rather than
> actually testing and thus concluding a "fail" erroneously.

2 good resources about versioning can be found here:

Debian versioning:

A blog entry from Robie basak, explaining Ubuntu versioning in details:

A good way of making sure a version is greater than other is to execute:

dpkg --compare-versions 1ubuntu1.0-1 gt 1ubuntu1.0~1 && echo greater
than || echo less than

and check.

More information about the ubuntu-server mailing list