20

The Ubuntu CVE Tracker page contains multiple tables related to kernel packages, some of which say DNE , others pending and version next to each . I would like to know how to properly read each table. Does the version next to pending refer to kernel version for which the fix is released ?

Context for the Question: I mostly answer questions on the Ask Ubuntu site. Lately, a new user on the site has been convinced that I misinterpreted the mentioned above CVE report, to the point of editing my original answer in very intrusive way.

To be perfectly frank, the CVE page indeed is confusing for person who doesn't regularly read the CVE reports. So it would be nice to know how to properly read such reports for the future, and have a 3rd party opinion.

grooveplex
  • 106
  • 8
Sergiy Kolodyazhnyy
  • 519
  • 5
  • 17

1 Answers1

15

Does the version next to pending refer to kernel version for which the fix is released?

Yes- more precisely, the version next to "pending" refers to the version of the package within the lineage in which the fix is included.

There are lots of binary packagings of the upstream kernel sources for different hardware platforms and other use cases- "linux", "linux-mako", "linux-snapdragon", etc- and there are also many release lineages- Ubuntu 12.04 LTS/14.04/etc- of all those packages that are maintained concurrently.

So the upstream bug may need to be fixed in multiple packagings of the same sources across multiple lineages. Because of the complexity, a triage process is used to conduct the relevant classifications and track work. This page reports on the state of that triage process for this particular bug.

This can be traced as follows:

  • pick one of the packages- "linux"- and one of the lineages- "Ubuntu 12.04 LTS".

    The table indicates that the state of the fix for that package in that lineage is "pending". The version of the package that will contain the fix within that lineage is "3.2.0-109.150".

  • to confirm, follow the lineage link for the package- https://launchpad.net/ubuntu/precise/+source/linux

  • scroll down to the "Releases in Ubuntu" section of the lineage-package page, and find the specific fix version, which has its own page: https://launchpad.net/ubuntu/+source/linux/3.2.0-109.150

  • on that page is a changelog. In that changelog includes a reference to the CVE (CVE-2016-5696), the particular fix that was made, and the person who made it

The CVE page is confusing because it is automatically published from a complex data model that tracks the interrelationships between upstream sources and their packagings within and across lineages. It follows a template that is optimized for authority, not necessarily for readability.

The classifications, like "DNE" or "pending" refer to the triage and release workflow that Ubuntu follows. States on that page are:

  • "DNE" means that the package does not exist within the lineage
  • "ignored" means that energy is not being expended for determining whether the problem exists in the particular package within the lineage, because support has ended for one reason or another. See for instance the linux-lts-quantal package, in the Ubuntu 12.04 LTS lineage. Support for that particular package (a backported hardware enablement package) in that lineage is beyond end-of-life.
  • "needs triage" means that the package within the lineage is still supported, but work is needed to determine if the reported problem actually exists within that package-lineage pair. See for instance the "linux-goldfish" package in Ubuntu 16.10.
  • "not affected" means that the underlying source code vulnerability exists in the particular package within the lineage, but triage determined that for some other reason the issue will not occur. See for instance "linux-mako" within Ubuntu 16.04 LTS.
  • "needed" of course means that triage has determined that the package within the lineage is affected, but work to apply the fix to the particular package within the lineage is still needed. See for instance the linux-armadaxp package within the 12.04 lineage.
  • "pending" means that the work needed to apply the fix to the particular package within the lineage has been done, a version has been cut, and a release is in the works.
  • "released" means that the fix for the package within the lineage has been released
Community
  • 1
Jonah Benton
  • 3,359
  • 12
  • 20
  • Small question: on the table for `linux-lts-wily` `Ubuntu 14.04 LTS (Trusty Tahr)` states that fix is `needed` , but for the same kernel image `Ubuntu 16.04 LTS (Xenial Xerus)` it says DNE. Does that imply 16.04 with `linux-lts-wily` being safe from this vulnerability ? Same package, but such discrepancy for either system version. How can this be explained ? – Sergiy Kolodyazhnyy Aug 22 '16 at 04:47
  • Apologies, rechecked and DNE means that the package itself does not exist within the lineage. Can be confirmed by checking the package page, e.g. https://launchpad.net/ubuntu/+source/linux-lts-wily, which lists all lineages. Answer has been edited. To the question, it is the case, though, that the package in an earlier lineage could have an issue that the package in a later lineage does not. Note the linux package- upstream sources are different in different lineages. – Jonah Benton Aug 22 '16 at 05:06
  • this DNE means in the default setup, the system was not affected, however it does not necessarily mean that if you altered the system, such as installed newer kernel, you would still not be affected. – Sajuuk Mar 19 '18 at 08:46