These are mostly generic questions. I believe you should make an effort and look up the relevant information yourself. But the last question is very specific, so I feel it deserves a detailed answer because this info may be not so easy to come by.
Quote:
Originally Posted by garryjp
4. If A customer’s systems require a patch they found upstream, how can you tell which version of an Ubuntu package contains the commit that includes that patch?
|
Quote:
Originally Posted by berndbausch
|
I'm afraid not.
First, let's talk not about patches in general, but specifically about security patches. Each security vulnerability gets assigned a
CVE identifier. They are usually searched and referenced by these. Ubuntu Security Team provides a (semi-)official web interface for this,
Ubuntu CVE Tracker. So if the upstream patch in question fixes a security vulnerability, the CVE most certainly is mentioned in the patch description. Now, search for that CVE-ID in the
Ubuntu CVE Tracker.
To give you an example, let's try it with CVE-2014-6271, which was the initial CVE-ID for
Shellshock (well-known bugs get cool names nowadays). As the search result, you'll get
this page. There you can see what package was affected, whether the patch fixing it was released by Ubuntu, and if it was what package release did it. Also pay attention to the
Notes section there. In this case it says:
Quote:
|
After updates were released for this issue, it was discovered that the fix was incomplete. The new issue is being tracked as CVE-2014-7169.
|
I leave finding info for the last one mentioned to you as an exercise.
From the same web search form (
Ubuntu CVE Tracker) you may also look up package names rather than CVE-IDs. You'll get a nice matrix then.
This is how it currently looks for bash. As you can see the CVE-IDs for Shellshock don't even get mentioned there, that vulnerability being just too old.
Now, what to do if the patch in question didn't get assigned a CVE-ID? I'd suggest you'll start from the
distro-patches page by OSS-Security. It will give you useful hints about how to find specific patches not only for Ubuntu, but for several other distros as well. Their Ubuntu section references Debian, don't forget to have a look there, too.
You'll also have to learn how to use the bug tracker for you distribution. For Ubuntu, it's
launchpad.net. E.g. bugs for bash can be found at
https://bugs.launchpad.net/ubuntu/+source/bash and patches at
https://bugs.launchpad.net/ubuntu/+source/bash/+patches (those are the patches currently being worked on, they may be
not the patches you're looking for).
Also keep in mind that the name of the source package is not always the same as the name of the binary package that you install on your system. To find out what source package a certain binary package was built from you may use either the web interface at
https://packages.ubuntu.com or the command line.
The page for a specific binary package on
packages.ubuntu.com includes a link to the corresponding source package page on the top left. E.g. on the page for
libssl1.1 you'll see
You'll get that info from the command line with
apt-cache:
Code:
apt-cache showsrc libssl1.1
The package page on
packages.ubuntu.com also includes links to the bugs page on
launchpad.net and to the Ubuntu changelog page (see below) for that package.
All that said, finding what version of an Ubuntu package included the fix for a certain bug may be very time-consuming if following the procedure for Debian described on the
distro-patches page linked above. So are there any shortcuts? Yes, there are. But they are just this, shortcuts. That means, they not always work. If you find the package version in question using them, fine. If not, that doesn't mean yet that the package is unpatched. That only means you have to search it harder, using the proper procedure. So what they are? Quite simple: search the package changelogs.
Every Debian package installs
/usr/share/doc/<packagename>/changelog.Debian.gz Quite a few packages also install upstream changelogs as
/usr/share/doc/<packagename>/changelog.gz. So if you find that specific bug being mentioned in either changelog as fixed, you'll know the answer to your question.
Unfortunately, there are two problems specific to Ubuntu. When a Debian package is being rebuilt by Ubuntu, the upstream changelog gets removed, and the Debian changelog truncated to the ten most recent entries. The full Debian changelogs can still be seen at
https://changelogs.ubuntu.com.
You can also look for them from the command line with
apt. I'll show you how to do it for a CVE-ID, but this works the same for anything mentioned in the changelog:
Code:
#!/bin/sh
pkg=libssl1.1
cve=CVE-2014-3470
cmd="apt-get changelog $pkg"
echo == awk ==
$cmd 2>/dev/null | awk '/^[^ \t]/{v=$0}/'"$cve"'/{print v;print;exit}'
echo
echo == sed ==
$cmd 2>/dev/null | sed -n "/^\S/h;/$cve/{x;G;p;q}"
An additional benefit of doing it this way is that you can also search in packages currently not installed on your system.
Ubuntu packages retain Debian patches, so perusing Debian infrastructure may turn out to be useful. E.g. Debian patches for the Debian unstable (sid) version of bash are
here. You can get to that page from the
bash package page on
packages.debian.org. Obviously, you won't obtain there any patches that were added by Ubuntu on top of Debian. They (or rather it, because they're maintained as one big sweeping patch including all the differences between a Debian package and the Ubuntu package based on it) can be accessed from the package page on
Debian Package Tracker (
the page for bash) or from
https://patches.ubuntu.com.
virtual memory manager & filesystem
