Thanks guys, Here are my CVE identifiers:
CVE-2016-9843 CVE-2016-9842 CVE-2016-9841 CVE-2016-9840 I looked them up on the Ubuntu CVE tracker (https://people.canonical.com/~ubuntu-security/cve/) I am having trouble reading the results and determining if there exist any fixes for these CVEs. In the package list all of the CVEs state "needs-triage" for Ubuntu 14.04 LTS. Does this mean that none of these CVEs have fixes? Thanks, Tom On Wed, Oct 11, 2017 at 8:00 AM, <[email protected]> wrote: > Send Ubuntu-devel-discuss mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Ubuntu-devel-discuss digest..." > > > Today's Topics: > > 1. need to fix 4 high vulnerability assessments about needing to > update zlib 1.2.8 (Thomas Gertin) > 2. Re: need to fix 4 high vulnerability assessments about > needing to update zlib 1.2.8 (Robie Basak) > 3. Re: need to fix 4 high vulnerability assessments about > needing to update zlib 1.2.8 (Thomas Ward) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 10 Oct 2017 16:54:40 -0400 > From: Thomas Gertin <[email protected]> > To: [email protected] > Subject: need to fix 4 high vulnerability assessments about needing to > update zlib 1.2.8 > Message-ID: > <cakvwn8cppon3cfadj_ku-wyf1hnpptadpuctdvptemexh-d...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Hello, > > I am getting 4 high vulnerability assessments from my Common > Vulnerabilities and Exposures-1.1 rules package. They all recommend > updating my zlib package. I have updated my zlib package and it is > up-to-date with version 1.2.8. However, it still produces the same > vulnerability assessments, and I think I may need to update it > further. I have Ubuntu 14.04.5 LTS. Can anybody help on how to do > this? > > Thanks, > > Tom > > > > ------------------------------ > > Message: 2 > Date: Tue, 10 Oct 2017 22:22:54 +0100 > From: Robie Basak <[email protected]> > To: Thomas Gertin <[email protected]> > Cc: [email protected] > Subject: Re: need to fix 4 high vulnerability assessments about > needing to update zlib 1.2.8 > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Hi Thomas, > > On Tue, Oct 10, 2017 at 04:54:40PM -0400, Thomas Gertin wrote: >> I am getting 4 high vulnerability assessments from my Common >> Vulnerabilities and Exposures-1.1 rules package. They all recommend >> updating my zlib package. I have updated my zlib package and it is >> up-to-date with version 1.2.8. However, it still produces the same >> vulnerability assessments, and I think I may need to update it >> further. I have Ubuntu 14.04.5 LTS. Can anybody help on how to do >> this? > > First step: you should have a list of CVE identifiers for the > vulnerabilities that your tooling believes exist. Look these up in > Ubuntu's CVE database to see what the security team believes is the > current state of those. > > You can find the CVE database at > https://people.canonical.com/~ubuntu-security/cve/ > > Then, if you still have concerns, please post the specific CVEs that > bother you and explain these concerns in the context of what our CVE > database says our position is about them. > > If you are having difficulty in actually updating your system's > packages, then this list is probably the wrong place for a discussion > about that unless you have reason to think that there's a bug or other > problem in Ubuntu in general, as opposed to just your system. > > Hope that helps, > > Robie > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 819 bytes > Desc: not available > URL: > <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20171010/8c483843/attachment-0001.sig> > > ------------------------------ > > Message: 3 > Date: Tue, 10 Oct 2017 18:31:31 -0400 > From: Thomas Ward <[email protected]> > To: [email protected] > Subject: Re: need to fix 4 high vulnerability assessments about > needing to update zlib 1.2.8 > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Consider that vulnerability scanners are 99% of the time **unaware** of > how the Ubuntu Security Team does updates. > > Please compare what vulnerabilities are being reported against the > corresponding CVEs on the Security Team CVE tracker > (http://people.canonical.com/~ubuntu-security/cve/) and then depending > on whether it's reported as fixed or not, adjust your rules for those > detections. (I do this in Nessus - with individual scans of my Ubuntu > infrastructure adjusted on a per-host basis so that it doesn't trigger > on certain events, because it's already resolved but the scanners are > unable to actually recognize it). > > > Thomas > Ubuntu Server Team Member > LP: ~teward > > > On 10/10/2017 04:54 PM, Thomas Gertin wrote: >> Hello, >> >> I am getting 4 high vulnerability assessments from my Common >> Vulnerabilities and Exposures-1.1 rules package. They all recommend >> updating my zlib package. I have updated my zlib package and it is >> up-to-date with version 1.2.8. However, it still produces the same >> vulnerability assessments, and I think I may need to update it >> further. I have Ubuntu 14.04.5 LTS. Can anybody help on how to do >> this? >> >> Thanks, >> >> Tom >> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20171010/154fd714/attachment-0001.html> > > ------------------------------ > > Subject: Digest Footer > > -- > Ubuntu-devel-discuss mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > > > ------------------------------ > > End of Ubuntu-devel-discuss Digest, Vol 131, Issue 7 > **************************************************** -- Ubuntu-devel-discuss mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
