How can I tell if a CVE has been fixed in Ubuntu's repositories?

Question

Today a couple of buffer overflows in NTP were announced 1, 2. It looks like updating my system to fix these issues is in order.

How can I find out if they have been fixed in the Ubuntu repositories, such that if I were to run:

sudo apt-get update
sudo apt-get upgrade

then the fix would get installed and the vulnerability closed?

Edit: The selected answer specifically addresses the question of how to identify if a given CVE has been fixed or not, "Does Ubuntu generally post timely security updates?" 3 is certainly related but not identical

Answer 1

What you're looking for are Ubuntu Security Notifications and they are not clearly listed in the repositories. This page is the main Ubuntu Security Notifications listing.

As for individual packages, updates which address security fixes are in their own special repository, the -security pocket. Using Synaptic, you can switch to the "Origin" view, and see packages in the RELEASE-security pocket.

All CVEs are also listed in the Ubuntu Security Team's CVE tracker - with your specifically referenced CVE here. In the case of CVE-2014-9295 which you reference here, it has not yet been fixed at the time this post was written. (It has since been updated/patched)

Once an update is available, it will be detected by sudo apt-get update; sudo apt-get upgrade once it's released in the security repository.

Answer 2

While the accepted answer is correct, I often find I am able to find out this info by viewing the changelog of a package, and that is easier than scouring the CVE trackers or security notifications listing. For example:

sudo apt-get update
apt-get changelog ntp

The output of the above command includes:

...
ntp (1:4.2.6.p5+dfsg-3ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: weak default key in config_auth()
    - debian/patches/CVE-2014-9293.patch: use openssl for random key in
      ntpd/ntp_config.c, ntpd/ntpd.c.
    - CVE-2014-9293
  * SECURITY UPDATE: non-cryptographic random number generator with weak
    seed used by ntp-keygen to generate symmetric keys
    - debian/patches/CVE-2014-9294.patch: use openssl for random key in
      include/ntp_random.h, libntp/ntp_random.c, util/ntp-keygen.c.
    - CVE-2014-9294
  * SECURITY UPDATE: buffer overflows in crypto_recv(), ctl_putdata(), configure()
    - debian/patches/CVE-2014-9295.patch: check lengths in
      ntpd/ntp_control.c, ntpd/ntp_crypto.c.
    - CVE-2014-9295
  * SECURITY UPDATE: missing return on error in receive()
    - debian/patches/CVE-2015-9296.patch: add missing return in
      ntpd/ntp_proto.c.
    - CVE-2014-9296

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Sat, 20 Dec 2014 05:47:10 -0500
...

Which clearly shows that the bugs you mentioned have been fixed in the ubuntu repositories. You can then run:

sudo apt-get upgrade

to pull down the fix.

Answer 3

The quickest way to figure out which packages (if any) contain the fix is to append the CVE identifier to URL prefix https://ubuntu.com/security/. I'll use CVE-2023-2650 as an example and in that case, the resulting URL is https://ubuntu.com/security/CVE-2023-2650 and there you can find the package versions for each Ubuntu variant where the vulnerability is fixed.

Answer 4

Years have passed since this question was asked, but nowadays you can check with the awesome tool debsecan if your machine is patched with an specific CVE-xxxx-yyyy. Run this:

sudo apt install debsecan
# .. install even postfix and exim with the correct configuration
debsecan | grep CVE-2014-9295

Answer 5

You try this command to list CVEs that have been already fixed if your system is concerned (also works on Debian).

Here I'm checking if CVE-2023-6779 or CVE-2023-6780 or CVE-2023-4911 or CVE-2023-6246 have been fixed on my system (if concerned) :

$ time zegrep -i "CVE-(2023-6779|2023-6780|2023-4911|2023-6246)" /usr/share/doc/*/changelog.Debian.gz
/usr/share/doc/libc-bin/changelog.Debian.gz:    - debian/patches/any/CVE-2023-4911.patch: terminate immediately if end
/usr/share/doc/libc-bin/changelog.Debian.gz:    - CVE-2023-4911
/usr/share/doc/libc-dev-bin/changelog.Debian.gz:    - debian/patches/any/CVE-2023-4911.patch: terminate immediately if end
/usr/share/doc/libc-dev-bin/changelog.Debian.gz:    - CVE-2023-4911
/usr/share/doc/libc6-dbg/changelog.Debian.gz:    - debian/patches/any/CVE-2023-4911.patch: terminate immediately if end
/usr/share/doc/libc6-dbg/changelog.Debian.gz:    - CVE-2023-4911
/usr/share/doc/libc6-dev/changelog.Debian.gz:    - debian/patches/any/CVE-2023-4911.patch: terminate immediately if end
/usr/share/doc/libc6-dev/changelog.Debian.gz:    - CVE-2023-4911
/usr/share/doc/libc6/changelog.Debian.gz:    - debian/patches/any/CVE-2023-4911.patch: terminate immediately if end
/usr/share/doc/libc6/changelog.Debian.gz:    - CVE-2023-4911
/usr/share/doc/locales/changelog.Debian.gz:    - debian/patches/any/CVE-2023-4911.patch: terminate immediately if end
/usr/share/doc/locales/changelog.Debian.gz:    - CVE-2023-4911
real    0m44,229s
user    0m20,248s
sys     0m42,457s

Or you can check this ubuntu website to search for a CVE on Ubuntu or this debian website to search for a CVE on Debian.

Answer 6

I think you're talking about checking a package's changelog? To see what's new, major big fixes, etc? Synaptic has an easy way to try & download changelogs.

Or if the changelog isn't available or is too brief, the best way might be to note the available version, and go to the developer website & see hopefully more detailed changes.

Answer 7

If you run those commands, you'll get any fixes that are in the repositories -- but those might not be, yet. If you have Update Notifier enabled (a tray widget), you'll get a notification whenever there are system or security updates (and security updates will be noted as such). Then you'll get the patches as soon as they're out for Ubuntu, without having to stress over them.