Is there an official statement about the Ubuntu package version identifier

Leroy Tennison leroy at datavoiceint.com
Tue Jun 11 18:07:45 UTC 2019


I apologize for the delayed response, I was tasked with an urgent request right after sending this.  Thank you for your reply and the good information it provided.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: leroy at datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here<http://subscribe.harriscomputer.com/>.

If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>.



This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.





________________________________
From: Rafael David Tinoco <rafaeldtinoco at ubuntu.com>
Sent: Friday, June 7, 2019 12:35:02 PM
To: Leroy Tennison; ubuntu-server at lists.ubuntu.com
Subject: [EXTERNAL] Re: Is there an official statement about the Ubuntu package version identifier

Hello Leroy

On 06/06/2019 16:03, Leroy Tennison wrote:
> The reason I ask is I have a commercial vulnerability scanner reporting
> as "fail" a test (for example, CVE-2016-5387)of our
> systems where https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpeople.canonical.com%2f~ubuntu-security%2fcve%2f%c2%a0states&c=E,1,tkTlppPgv7BOXN3x5klrMGABIMPZ7MTaXnKwoYnURJVt_eTHEc8CFMCgyC6eLOuO0xJxj4HiRNUrila9NO7mIGZ1Wo-yva6eLJ5OaRksTgAH-kqIBw,,&typo=1
> that a fix has been released and our current version appears to be later
> than that release.  I need to dispute that finding for compliance
> reasons but would like an official statement to show to the vendor
> concerning how Ubuntu handles these things.  I suspect the vendor is
> only checking the upstream major and minor version number rather than
> actually testing and thus concluding a "fail" erroneously.

2 good resources about versioning can be found here:

Debian versioning:

https://www.debian.org/doc/debian-policy/ch-controlfields.html#version

A blog entry from Robie basak, explaining Ubuntu versioning in details:

https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.justgohome.co.uk%2fblog%2f2015%2f01%2fubuntu-package-versions.html&c=E,1,zprTYA8GmUjXzAXeLr65RNOcLymTKv8YKDT_nujlxA3SOe_DX6kUSElH0CrHkbCHuc0GyhQSJi208QDtWUb0LbJ6sY26kt1ZXT010LxcYg,,&typo=1

A good way of making sure a version is greater than other is to execute:

dpkg --compare-versions 1ubuntu1.0-1 gt 1ubuntu1.0~1 && echo greater
than || echo less than

and check.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20190611/e2403248/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 8276 bytes
Desc: Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20190611/e2403248/attachment-0001.png>


More information about the ubuntu-server mailing list