Traceroute Vulnerability (CVE-2023-46316) fixes are not released

Question

We are currently using ubuntu 20.04 LTS version in our environment, This traceroute CVE-2023-46316 vulnerability was reported for the Installed package : traceroute_1:2.1.0-2, and this Vulnerability was fixed as part of ESM.

However, Ubuntu 20.04 does not reach EOL, So why was this particular package released only as part of ESM?

Installed package : traceroute_1:2.1.0-2 Fixed package : traceroute_1:2.1.0-2ubuntu0.20.04.1~esm1

The package is in the Universe repo, and thus only patched upstream or as part of Ubuntu Pro. Also, see below. — Artur Meinild, Jan 18 '24 at 16:17

score 0 · Answer 1 · answered Jan 18 '24 at 16:27

You can build a patched version 2.1.3 or 2.1.5 from here:

sudo apt remove traceroute
wget https://unlimited.dl.sourceforge.net/project/traceroute/traceroute/traceroute-2.1.3/traceroute-2.1.3.tar.gz
tar xvf traceroute-2.1.3.tar.gz
cd traceroute-2.1.3
make 
sudo make install

Check the version:

traceroute --version
Modern traceroute for Linux, version 2.1.3
Copyright (c) 2016  Dmitry Butskoy,   License: GPL v2 or any later

Traceroute Vulnerability (CVE-2023-46316) fixes are not released

1 Answers1