Ubuntu

Is there any way to map Ubuntu package name to CPE/USN/CVE?

Asked by Krystian Piwowarczyk

I have list of packages from multiple Linux systems. From Ubuntu boxes I get them by using dpkg. Because I have it in form of large string (one per device) I'm using regex to get precise package versions and find out if this package has some security vulnerabilities (I'm using cve-search project). It works fine for standard packages (e.g. libxml2:2.9.1) but for Ubuntu specific packages (e.g. openssl:1.0.1-4ubuntu5.31) I have problems because it's not old openssl:1.0.1, it has some security patches which mitigates some of the CVEs.

For Red Hat there is map which I can use, but so far I was unable to find any solution for Ubuntu packages. I tried Ubuntu CVE Tracker - it maps cve to package but I'd like to do opposite (and yes, I tried searching by package name, but I cannot get anything more specific than e.g. http://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html which is not useful).

Even mapping between package and Ubuntu Security Notices would be useful for me (as cve-search maps cve to usn)!

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

What is wrong with pages like http://people.canonical.com/~ubuntu-security/cve/pkg/openjdk-6.html ?
If such page is empty, it shows that all known vulnerabilities for that package have been patched.

Some more pages that might help:
On https://bugs.launchpad.net/bugs/cve you can search for package names

CVE reports per package
https://bugs.launchpad.net/openjdk/+cve

(I am aware, that this does not answer all parts of your question.)

Can you help with this problem?

Provide an answer of your own, or ask Krystian Piwowarczyk for more information if necessary.

To post a message you must log in.