How can I tell if a CVE has been fixed in Ubuntu's repositories?

Solution 1:

What you're looking for are Ubuntu Security Notifications and they are not clearly listed in the repositories. This page is the main Ubuntu Security Notifications listing.

As for individual packages, updates which address security fixes are in their own special repository, the -security pocket. Using Synaptic, you can switch to the "Origin" view, and see packages in the RELEASE-security pocket.

All CVEs are also listed in the Ubuntu Security Team's CVE tracker - with your specifically referenced CVE here. In the case of CVE-2014-9295 which you reference here, it has not yet been fixed.

Once an update is available, it will be detected by sudo apt-get update; sudo apt-get upgrade once it's released in the security repository.

Solution 2:

While the accepted answer is correct, I often find I am able to find out this info by viewing the changelog of a package, and that is easier than scouring the CVE trackers or security notifications listing. For example:

sudo apt-get update
apt-get changelog ntp

The output of the above command includes:

...
ntp (1:4.2.6.p5+dfsg-3ubuntu3) vivid; urgency=medium

  * SECURITY UPDATE: weak default key in config_auth()
    - debian/patches/CVE-2014-9293.patch: use openssl for random key in
      ntpd/ntp_config.c, ntpd/ntpd.c.
    - CVE-2014-9293
  * SECURITY UPDATE: non-cryptographic random number generator with weak
    seed used by ntp-keygen to generate symmetric keys
    - debian/patches/CVE-2014-9294.patch: use openssl for random key in
      include/ntp_random.h, libntp/ntp_random.c, util/ntp-keygen.c.
    - CVE-2014-9294
  * SECURITY UPDATE: buffer overflows in crypto_recv(), ctl_putdata(), configure()
    - debian/patches/CVE-2014-9295.patch: check lengths in
      ntpd/ntp_control.c, ntpd/ntp_crypto.c.
    - CVE-2014-9295
  * SECURITY UPDATE: missing return on error in receive()
    - debian/patches/CVE-2015-9296.patch: add missing return in
      ntpd/ntp_proto.c.
    - CVE-2014-9296

 -- Marc Deslauriers <[email protected]>  Sat, 20 Dec 2014 05:47:10 -0500
...

Which clearly shows that the bugs you mentioned have been fixed in the ubuntu repositories. You can then run:

sudo apt-get upgrade

to pull down the fix.