Is there an official statement about the Ubuntu package version identifier

Dimitri John Ledkov xnox at ubuntu.com
Sat Jun 8 00:18:53 UTC 2019 

On Thu, 6 Jun 2019 at 20:04, Leroy Tennison <leroy at datavoiceint.com> wrote:
>
> The reason I ask is I have a commercial vulnerability scanner reporting
as "fail" a test (for example, CVE-2016-5387)of our systems where
https://people.canonical.com/~ubuntu-security/cve/ states that a fix has
been released and our current version appears to be later than that
release.  I need to dispute that finding for compliance reasons but would
like an official statement to show to the vendor concerning how Ubuntu
handles these things.  I suspect the vendor is only checking the upstream
major and minor version number rather than actually testing and thus
concluding a "fail" erroneously.
>
>
> Harriscomputer


Ubuntu publishes it's CVE status in OVAL (https://oval.mitre.org/) which I
would expect a commercial vulnerability scanner to be able to parse.
https://people.canonical.com/~ubuntu-security/oval/ e.g.
com.ubuntu.xenial.cve.oval.xml.bz2 for xenial release.

>From xenial release data, it does contain definition for:

<reference source="CVE" ref_id="CVE-2016-5387" ref_url="
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387" />


The criteria that must be applied for this CVE on Ubuntu 16.04 Xenial
release are:

            <criteria>
>                 <extend_definition
> definition_ref="oval:com.ubuntu.xenial:def:100" comment="Ubuntu 16.04 LTS
> (xenial) is installed." applicability_check="true" />
>                 <criteria operator="OR">
>                     <criterion
> test_ref="oval:com.ubuntu.xenial:tst:201653870000000" comment="apache2
> package in xenial was vulnerable but has been fixed (note:
> '2.4.18-2ubuntu3.1')." />
>                     <criterion
> test_ref="oval:com.ubuntu.xenial:tst:201653870000010" comment="apache2-bin
> package in xenial was vulnerable but has been fixed (note:
> '2.4.18-2ubuntu3.1')." />
>                     <criterion
> test_ref="oval:com.ubuntu.xenial:tst:201653870000020" comment="apache2-data
> package in xenial was vulnerable but has been fixed (note:
> '2.4.18-2ubuntu3.1')." />
>                     <criterion
> test_ref="oval:com.ubuntu.xenial:tst:201653870000030"
> comment="apache2-suexec-custom package in xenial was vulnerable but has
> been fixed (note: '2.4.18-2ubuntu3.1')." />
>                     <criterion
> test_ref="oval:com.ubuntu.xenial:tst:201653870000040"
> comment="apache2-suexec-pristine package in xenial was vulnerable but has
> been fixed (note: '2.4.18-2ubuntu3.1')." />
>                     <criterion
> test_ref="oval:com.ubuntu.xenial:tst:201653870000050"
> comment="apache2-utils package in xenial was vulnerable but has been fixed
> (note: '2.4.18-2ubuntu3.1')." />
>                 </criteria>
>             </criteria>


Meaning that if those packages are installed, they need to be at least of
those versions..... Granted I can see how actual version numbers are
basically freeform text in a commend field, but that is as official answer
as it gets. "was vulnerable but has been fixed".

Ditto similar for trusty release. So extracting the full xml paragraph
covering the CVE-2016-5387 is an adequate answer as to which set of
packages were affected, and which versions of them mitigate the CVE in
question.

-- 
Regards,

Dimitri.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20190608/43161302/attachment.html>

More information about the ubuntu-server mailing list