How to identify if CVE affect my distro?

Asked by helpme on 2017-10-03

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000251.html

In the above link, there multiple packages listed for different OS variants. I've a Ubuntu 16.04 LTS running in closed network and cannot be connected to the internet.

Do i need to check for each single package and update my OS variant for each of the package individually if CVE states "released"?

And what does the following status mean and what are the actions needed for the security vulnerability?

Status | Meaning/Actions
======================
released - a fix was released, just update will do?
DNE - not in any upstream or current version, can do nothing?
ignored - vulnerability exists but ignored coz not fixing due to EOL?
pending - working on a fix, release coming soon?
needed - need assessment for a fix, as though "needs-triage"?

Any help is greatly appreciated.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
2017-10-04
Last query:
2017-10-04
Last reply:
2017-10-04
Manfred Hampl (m-hampl) said : #1

I assume that you have only one single package installed from the whole list of potentially affected ones.

What is the output of the commands
uname -a
lsb_release -crid
dpkg -l | grep linux-i

Remark: DNE means "does not exists", this means that the version provided for this Ubuntu release is not affected by that vulnerability, and no action is needed.

helpme (godhelpme) said : #2

Besides DNE, what do the other status really mean?

Output of the 3 commands:

Linux controller 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
========
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
========
ii linux-image-4.4.0-83-generic 4.4.0-83.106 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-87-generic 4.4.0-87.110 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-89-generic 4.4.0-89.112 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-91-generic 4.4.0-91.114 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-92-generic 4.4.0-92.115 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-93-generic 4.4.0-93.116 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-96-generic 4.4.0-96.119 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-83-generic 4.4.0-83.106 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-87-generic 4.4.0-87.110 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-89-generic 4.4.0-89.112 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-91-generic 4.4.0-91.114 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-92-generic 4.4.0-92.115 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-93-generic 4.4.0-93.116 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-96-generic 4.4.0-96.119 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-generic 4.4.0.96.101 amd64 Generic Linux kernel image

Manfred Hampl (m-hampl) said : #3

As far as I can see the only package relevant for your system is "Linux", and for xenial the version 4.4.0-96.119 contains the related fix.
You have already installed this patched version, but have not yet activated it.

In my opinion the problem with this CVE should be solved for the system in question with a reboot (to activate the 4.4.0-96.119 version of the kernel).

There is some further information about status and criticality in http://people.canonical.com/~ubuntu-security/cve/priority.html

helpme (godhelpme) said : #4

Thanks for the information.

But still does anyone know what the other status mean? These are not found in the link provided but in the CVE description.

- released
- ignored
- needed

Best Manfred Hampl (m-hampl) said : #5

I do not have a link to an official explanation of the status code, but as far as I know:

released: an updated package has been published in the official repositories (usually in codename-updates and/or codename-security) for installation with the package management tools.

needed: an updated package is not yet available, so there is no possibility (yet) to eliminate the vulnerability by installing a new version of the package (but other workarounds might be available)

ignored: (I assume that) due to low criticality and forthcoming end-of-life status of the release no work is done any more.

pending: an updated package has already been prepared, but testing and verification has not yet been completed (the package usually already being in codename-proposed)

helpme (godhelpme) said : #6

It would really be good if Ubuntu security team can put these information official somewhere.

For now, guess Manfred answer is the best we can have. Thanks.

helpme (godhelpme) said : #7

Thanks Manfred Hampl, that solved my question.