Is there an official statement about the Ubuntu package version identifier
Rafael David Tinoco
rafaeldtinoco at ubuntu.com
Fri Jun 7 17:35:02 UTC 2019
Hello Leroy
On 06/06/2019 16:03, Leroy Tennison wrote:
> The reason I ask is I have a commercial vulnerability scanner reporting
> as "fail" a test (for example, CVE-2016-5387)of our
> systems where https://people.canonical.com/~ubuntu-security/cve/ states
> that a fix has been released and our current version appears to be later
> than that release. I need to dispute that finding for compliance
> reasons but would like an official statement to show to the vendor
> concerning how Ubuntu handles these things. I suspect the vendor is
> only checking the upstream major and minor version number rather than
> actually testing and thus concluding a "fail" erroneously.
2 good resources about versioning can be found here:
Debian versioning:
https://www.debian.org/doc/debian-policy/ch-controlfields.html#version
A blog entry from Robie basak, explaining Ubuntu versioning in details:
http://www.justgohome.co.uk/blog/2015/01/ubuntu-package-versions.html
A good way of making sure a version is greater than other is to execute:
dpkg --compare-versions 1ubuntu1.0-1 gt 1ubuntu1.0~1 && echo greater
than || echo less than
and check.
More information about the ubuntu-server
mailing list