1

To my understanding, bug and vulnerability fixes are released separately in -updates and -security. 1 patch fixes CVE(s) for 1 package (no cumulative patches like in windows). There is a patch for each version of ubuntu per package (fix at current version for stability reasons).

Here are my questions :

  • when are -security and -updates mirrors merged. In the next Ubuntu release?

  • if a CVE is found and fixed at version N of the package. Does the version N+1 of the package includes the fix ?

  • if a security pacth is released for Ubuntu 18/04 and there is no mention of ubuntu 20.04 in the USN page, is the fix included in Ubuntu 20.04 or the old CVE is not applicable ?

In this example : https://ubuntu.com/security/notices/USN-3876-1

The latest version of the patch mentionned in the USN is for Ubuntu 18.04 and named avahi-daemon- 0.7-4ubuntu2.1.

My installed version in Ubuntu 20.04 is newer : 0.7-4ubuntu7.2. Does it include the security patch for CVE-2017-6519 even is the version of ubuntu is not the same ?

DenLi
  • 23

1 Answers1

3

When a USN is posted, that means an update for all affected versions has been released to the repository in both -security and -updates pocket for the affected releases, and most likely for every release thereafter, especially if it's fixed by the upstream developers for a given source pacakge.

This is where you have to look at the CVE page itself for a given CVE to really start to dissect this, and also have a little bit of understanding how Ubuntu package versions are determined among other things. This is the CVE tracker page for the CVE you've referenced (CVE-2017-6519).

When a security update is pushed it lands in both -security and -updates pockets. This is done to make sure all people get the security patch.

However, you have to do version comparisons of the package versions you have installed vs. the affected/fixed versions.

This is the screenshot of this page right now:

enter image description here

We can see that the first version in Ubuntu to receive this fix was 0.7-3.1ubuntu1.2, which was introduced in Bionic.

We then refer to the versions in your system - 0.7-4ubuntu7.2. This is the same codebase as 0.7-3.1ubuntu1.2 - that is Avahi 0.7 - but with additional package revisions and patches.

Because these are the same code base version but different package revisions that're later than the "fix released" version, you are already patched for this CVE. That's why later releases don't show up in the table, and why you don't need to worry. Later versions of Avahi are likely fixed and patched for this CVE as well.


Avahi has actually patched this in version 0.8 from Upstream. We know this from their github tags and release notes - https://github.com/lathiat/avahi/releases/tag/v0.8

As such, the CVE needs updated to reflect the Upstream patch version to mark that as released/fixed. However, your codebase is 0.7, so the version of the package in your release of Focal is built off that package with additional packaging changes to get to -4ubuntu* as its package version string.

We can see all the versions of Avahi available by looking at its page in Launchpad for what supported releases there are and what versions each release has:

enter image description here

The Security team once they publish a fix is not obligated to go back and update the tracker for upstream's patch versions, though they do sometimes do that it doesn't always get updated (in this case I asked the Security team to update that CVE's page).

Because this security patch was fixed in version 0.8 of Avahi, you will note all later versions of Ubuntu are using version 0.8 and as such already have this patch included (and not distro-patched in the -security repos for those later releases but included as part of the base code for Avahi).

Thomas Ward
  • 74,764
  • "Needs Triage" means that the Ubuntu Security Team hasn't audited to see whether a new release has been made in Avahi yet to fix it. Security team isn't obligated to check upstream but may. – Thomas Ward Oct 10 '23 at 15:16
  • Thank you for your reply ! This question sounds stupid but i don't understand what upstream means. I already read this link. Is it the father of all newly released versions of ubuntu ? Focal refers to 20.04 for exemple. So a fix pushed to upstream would be present in all N+1 versions? – DenLi Oct 10 '23 at 16:07
  • @DenLi "Upstream" means the people who actually make the software. Avahi has its own upstream developers, since the software originates from outside Ubuntu ("Upstream" from Ubuntu in the chain of where development happens). It's basically where the softwrae is developed. And no, a fix pushed to upstream doesn't necessarily mean it'll get fixed in Ubuntu. split the package version to understand where changes are: 0.7-4ubuntu7.2 = Avahi version 0.7 (upstream) + multiple package changes and patches on top of that in Ubuntu/Debian. – Thomas Ward Oct 10 '23 at 16:55