Is there an official statement about the Ubuntu package version identifier

Leroy Tennison leroy at
Tue Jun 11 18:40:25 UTC 2019

As I said previously, sorry for the delayed response.  This is perfect, I wasn't aware of the significance of the usn link on, that is exactly what I am going to use in my reply to the scanning vendor.  Thank you so much for your reply.


Leroy Tennison
Network Information/Cyber Security Specialist
E: leroy at


2220 Bush Dr
McKinney, Texas

This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here<>.

If you prefer not to be contacted by Harris Operating Group please notify us<>.

This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

From: Robie Basak <robie.basak at>
Sent: Saturday, June 8, 2019 10:21:19 AM
To: Leroy Tennison
Cc: ubuntu-server at
Subject: [EXTERNAL] Re: Is there an official statement about the Ubuntu package version identifier

Hi Leroy,

Some additions to what others have already said: points out "Sometimes
SecurityTeam/FAQ - Ubuntu Wiki<>
Official Support. What does official security support mean? Members of the Ubuntu Security team are Canonical employees who provide security updates for supported software in the Ubuntu distribution. Security updates are in part prioritized based on severity of impact, exploitability and number of affected users.

external security vendors doing software version scanning against Ubuntu
systems do not check actual package versions, leading to false positives
in their scan reports. For an authoritative source of what packages may
have outstanding vulnerabilities, the Ubuntu CVE Tracker can be

The Ubuntu CVE Tracker at,1,mtiohJnCvZnc1CdM-uqJsHUu87cl5O7feXmhb2-KABP09OqyKeK-nTrjURx8SyXb98fX3TURYi66y-3u1PkXl-QLYFG8U-0536A0KBkHBg4zB07ShpE,&typo=1
says that the fix was released in package version "2.4.18-2ubuntu3.1"
(in Xenial, for example), and I believe this database reflects the
Ubuntu Security Team's official position. In addition it is confirmed in
the linked announcement which certainly
is an official statement.

Is that is not sufficient for your needs, why isn't it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 8276 bytes
Desc: Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG
URL: <>

More information about the ubuntu-server mailing list