Updating Applications with Vulnerabilities [duplicate]
Today a couple of buffer overflows in NTP were announced 1, 2. It looks like updating my system to fix these issues is in order.
How can I find out if they have been fixed in the Ubuntu repositories, such that if I were to run:
sudo apt-get update
sudo apt-get upgrade
then the fix would get installed and the vulnerability closed?
Edit: The selected answer specifically addresses the question of how to identify if a given CVE has been fixed or not, "Does Ubuntu generally post timely security updates?" 3 is certainly related but not identical
Solution 1:
What you're looking for are Ubuntu Security Notifications and they are not clearly listed in the repositories. This page is the main Ubuntu Security Notifications listing.
As for individual packages, updates which address security fixes are in their own special repository, the -security
pocket. Using Synaptic, you can switch to the "Origin" view, and see packages in the RELEASE-security
pocket.
All CVEs are also listed in the Ubuntu Security Team's CVE tracker - with your specifically referenced CVE here. In the case of CVE-2014-9295 which you reference here, it has not yet been fixed.
Once an update is available, it will be detected by sudo apt-get update; sudo apt-get upgrade
once it's released in the security repository.
Solution 2:
While the accepted answer is correct, I often find I am able to find out this info by viewing the changelog of a package, and that is easier than scouring the CVE trackers or security notifications listing. For example:
sudo apt-get update
apt-get changelog ntp
The output of the above command includes:
...
ntp (1:4.2.6.p5+dfsg-3ubuntu3) vivid; urgency=medium
* SECURITY UPDATE: weak default key in config_auth()
- debian/patches/CVE-2014-9293.patch: use openssl for random key in
ntpd/ntp_config.c, ntpd/ntpd.c.
- CVE-2014-9293
* SECURITY UPDATE: non-cryptographic random number generator with weak
seed used by ntp-keygen to generate symmetric keys
- debian/patches/CVE-2014-9294.patch: use openssl for random key in
include/ntp_random.h, libntp/ntp_random.c, util/ntp-keygen.c.
- CVE-2014-9294
* SECURITY UPDATE: buffer overflows in crypto_recv(), ctl_putdata(), configure()
- debian/patches/CVE-2014-9295.patch: check lengths in
ntpd/ntp_control.c, ntpd/ntp_crypto.c.
- CVE-2014-9295
* SECURITY UPDATE: missing return on error in receive()
- debian/patches/CVE-2015-9296.patch: add missing return in
ntpd/ntp_proto.c.
- CVE-2014-9296
-- Marc Deslauriers <[email protected]> Sat, 20 Dec 2014 05:47:10 -0500
...
Which clearly shows that the bugs you mentioned have been fixed in the ubuntu repositories. You can then run:
sudo apt-get upgrade
to pull down the fix.