Is there an official statement about the Ubuntu package version identifier

Robie Basak robie.basak at ubuntu.com
Sat Jun 8 15:21:19 UTC 2019


Hi Leroy,

Some additions to what others have already said:

https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions points out "Sometimes
external security vendors doing software version scanning against Ubuntu
systems do not check actual package versions, leading to false positives
in their scan reports. For an authoritative source of what packages may
have outstanding vulnerabilities, the Ubuntu CVE Tracker can be
consulted."

The Ubuntu CVE Tracker at
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html
says that the fix was released in package version "2.4.18-2ubuntu3.1"
(in Xenial, for example), and I believe this database reflects the
Ubuntu Security Team's official position. In addition it is confirmed in
the linked announcement https://usn.ubuntu.com/3038-1/ which certainly
is an official statement.

Is that is not sufficient for your needs, why isn't it?

Robie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20190608/a9c73b2d/attachment.sig>


More information about the ubuntu-server mailing list