Updating Applications with Vulnerabilities [duplicate]

security apt

Today a couple of buffer overflows in NTP were announced 1, 2. It looks like updating my system to fix these issues is in order.

How can I find out if they have been fixed in the Ubuntu repositories, such that if I were to run: 

sudo apt-get update
sudo apt-get upgrade

then the fix would get installed and the vulnerability closed?

Edit: The selected answer specifically addresses the question of how to identify if a given CVE has been fixed or not, "Does Ubuntu generally post timely security updates?" 3 is certainly related but not identical


Solution 1:

What you're looking for are Ubuntu Security Notifications and they are not clearly listed in the repositories. This page is the main Ubuntu Security Notifications listing.

As for individual packages, updates which address security fixes are in their own special repository, the -security pocket. Using Synaptic, you can switch to the "Origin" view, and see packages in the RELEASE-security pocket.

All CVEs are also listed in the Ubuntu Security Team's CVE tracker - with your specifically referenced CVE here. In the case of CVE-2014-9295 which you reference here, it has not yet been fixed.

Once an update is available, it will be detected by sudo apt-get update; sudo apt-get upgrade once it's released in the security repository.

Solution 2:

While the accepted answer is correct, I often find I am able to find out this info by viewing the changelog of a package, and that is easier than scouring the CVE trackers or security notifications listing. For example:

sudo apt-get update
apt-get changelog ntp

The output of the above command includes:

...
ntp (1:4.2.6.p5+dfsg-3ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: weak default key in config_auth()
    - debian/patches/CVE-2014-9293.patch: use openssl for random key in
      ntpd/ntp_config.c, ntpd/ntpd.c.
    - CVE-2014-9293
  * SECURITY UPDATE: non-cryptographic random number generator with weak
    seed used by ntp-keygen to generate symmetric keys
    - debian/patches/CVE-2014-9294.patch: use openssl for random key in
      include/ntp_random.h, libntp/ntp_random.c, util/ntp-keygen.c.
    - CVE-2014-9294
  * SECURITY UPDATE: buffer overflows in crypto_recv(), ctl_putdata(), configure()
    - debian/patches/CVE-2014-9295.patch: check lengths in
      ntpd/ntp_control.c, ntpd/ntp_crypto.c.
    - CVE-2014-9295
  * SECURITY UPDATE: missing return on error in receive()
    - debian/patches/CVE-2015-9296.patch: add missing return in
      ntpd/ntp_proto.c.
    - CVE-2014-9296

 -- Marc Deslauriers <[email protected]>  Sat, 20 Dec 2014 05:47:10 -0500
...

Which clearly shows that the bugs you mentioned have been fixed in the ubuntu repositories. You can then run:

sudo apt-get upgrade

to pull down the fix.

Related

why is output different of counting files?
Network card without needing to install drivers
USB webcam microphone not working
Fix broken install error: paste subprocess was killed by signal (Broken pipe) (NOT DUPLICATE) [duplicate]
How to get 1 third slabs using commands [closed]
Minecraft-Lapis Luzuli Drop Distribution
Disabling Nametags Vanilla
How do I buy a house in Morthal?
Are the new gang hideouts added in "The Liars and Cheats" DLC multiplayer-only?
How to disable menu sounds in The Witcher?
Is there an ideal time to use marketing?
Is there an ideal time to use the boost?