Re: Is there an official statement about the Ubuntu package version identifier

2019-06-11 Thread Leroy Tennison 
Just FYI, the scanning vendor accepted all of the disputes based on 
people.canonical.com and usn.ubuntu.com.


From: ubuntu-server  on behalf of Leroy 
Tennison 
Sent: Tuesday, June 11, 2019 1:40:25 PM
To: Robie Basak
Cc: ubuntu-server@lists.ubuntu.com
Subject: Re: Is there an official statement about the Ubuntu package version 
identifier


As I said previously, sorry for the delayed response.  This is perfect, I 
wasn't aware of the significance of the usn link on 
people.canonical.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpeople.canonical.com&c=E,1,U2UvYxyDt9-E2DZRqEixxF_Xnup9lWhp-FEJmBHOHKCtEhl0Kqdv96rrqedsgV9E0miYBy0xfXd-wkn0QVKmvAOv03LZGnTUcdm1HYTKUyX8PA,,&typo=1>,
 that is exactly what I am going to use in my reply to the scanning vendor.  
Thank you so much for your reply.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc. These companies are listed 
here<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsubscribe.harriscomputer.com%2f&c=E,1,TG6Wlsa00jfbvmN7XHTaEQTius88BeO00nJEY1SDKnLqvRB1q58phV2-UuCP03gdd8wF1zWw6fmYjWgav0yzGNua99qfFHaux5CZptorHAOo5YQ,&typo=1>.

If you prefer not to be contacted by Harris Operating Group please notify 
us<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fsubscribe.harriscomputer.com%2f&c=E,1,Jmk0Bq1r3SPNqQ1AQXNWn6au-4k6zj1fUjro-dpHpmLlPdGx2RTH7g6D4MzvWkbzlBrIzINH7t353fHvACiIZOhkqHZ5kjB2Qalsx6EaoiUXFum-Cg,,&typo=1>.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.





Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc. These companies are listed 
here<http://subscribe.harriscomputer.com/>.

If you prefer not to be contacted by Harris Operating Group please notify 
us<http://subscribe.harriscomputer.com/>.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.






From: Robie Basak 
Sent: Saturday, June 8, 2019 10:21:19 AM
To: Leroy Tennison
Cc: ubuntu-server@lists.ubuntu.com
Subject: [EXTERNAL] Re: Is there an official statement about the Ubuntu package 
version identifier

Hi Leroy,

Some additions to what others have already said:

https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions points out "Sometimes
SecurityTeam/FAQ - Ubuntu 
Wiki<https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions>
wiki.ubuntu.com
Official Support. What does official security support mean? Members of the 
Ubuntu Security team are Canonical employees who provide security updates for 
supported software in the Ubuntu distribution. Security updates are in part 
prioritized based on severity of impact, exploitability and number of affected 
users.



external security vendors doing software version scanning against Ubuntu
systems do not check actual package versions, leading to false positives
in their scan reports. For an authoritative source of what packages may
have outstanding vulnerabilities, the Ubuntu CVE Tracker can be
consulted."

The Ubuntu CVE Tracker at
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpeople.canonical.com%2f~ubuntu-security%2fcve%2f2016%2fCVE-2016-5387.html&c=E,1,mtiohJnCvZnc1CdM-uqJsHUu87cl5O7feXmhb2-KABP09OqyKeK-nTrjURx8SyXb98fX3TURYi66y-3u1PkXl-QLYFG8U-0536A0KBkHBg4zB07ShpE,&typo=1
says that the fix was released in package version "2.4.18-2ubuntu3.1"
(in Xenial, for example), and I believe this database reflects the
Ubuntu Security Team's

Re: Is there an official statement about the Ubuntu package version identifier

2019-06-11 Thread Leroy Tennison 
As I said previously, sorry for the delayed response.  This is perfect, I 
wasn't aware of the significance of the usn link on people.canonical.com, that 
is exactly what I am going to use in my reply to the scanning vendor.  Thank 
you so much for your reply.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc. These companies are listed 
here<http://subscribe.harriscomputer.com/>.

If you prefer not to be contacted by Harris Operating Group please notify 
us<http://subscribe.harriscomputer.com/>.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.






From: Robie Basak 
Sent: Saturday, June 8, 2019 10:21:19 AM
To: Leroy Tennison
Cc: ubuntu-server@lists.ubuntu.com
Subject: [EXTERNAL] Re: Is there an official statement about the Ubuntu package 
version identifier

Hi Leroy,

Some additions to what others have already said:

https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions points out "Sometimes
SecurityTeam/FAQ - Ubuntu 
Wiki<https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions>
wiki.ubuntu.com
Official Support. What does official security support mean? Members of the 
Ubuntu Security team are Canonical employees who provide security updates for 
supported software in the Ubuntu distribution. Security updates are in part 
prioritized based on severity of impact, exploitability and number of affected 
users.



external security vendors doing software version scanning against Ubuntu
systems do not check actual package versions, leading to false positives
in their scan reports. For an authoritative source of what packages may
have outstanding vulnerabilities, the Ubuntu CVE Tracker can be
consulted."

The Ubuntu CVE Tracker at
https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpeople.canonical.com%2f~ubuntu-security%2fcve%2f2016%2fCVE-2016-5387.html&c=E,1,mtiohJnCvZnc1CdM-uqJsHUu87cl5O7feXmhb2-KABP09OqyKeK-nTrjURx8SyXb98fX3TURYi66y-3u1PkXl-QLYFG8U-0536A0KBkHBg4zB07ShpE,&typo=1
says that the fix was released in package version "2.4.18-2ubuntu3.1"
(in Xenial, for example), and I believe this database reflects the
Ubuntu Security Team's official position. In addition it is confirmed in
the linked announcement https://usn.ubuntu.com/3038-1/ which certainly
is an official statement.

Is that is not sufficient for your needs, why isn't it?

Robie
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: Is there an official statement about the Ubuntu package version identifier

2019-06-11 Thread Leroy Tennison 
I apologize for the delayed response, I was tasked with an urgent request right 
after sending this.  Thank you for your reply and the good information it 
provided.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc. These companies are listed 
here<http://subscribe.harriscomputer.com/>.

If you prefer not to be contacted by Harris Operating Group please notify 
us<http://subscribe.harriscomputer.com/>.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.






From: Rafael David Tinoco 
Sent: Friday, June 7, 2019 12:35:02 PM
To: Leroy Tennison; ubuntu-server@lists.ubuntu.com
Subject: [EXTERNAL] Re: Is there an official statement about the Ubuntu package 
version identifier

Hello Leroy

On 06/06/2019 16:03, Leroy Tennison wrote:
> The reason I ask is I have a commercial vulnerability scanner reporting
> as "fail" a test (for example, CVE-2016-5387)of our
> systems where 
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpeople.canonical.com%2f~ubuntu-security%2fcve%2f%c2%a0states&c=E,1,tkTlppPgv7BOXN3x5klrMGABIMPZ7MTaXnKwoYnURJVt_eTHEc8CFMCgyC6eLOuO0xJxj4HiRNUrila9NO7mIGZ1Wo-yva6eLJ5OaRksTgAH-kqIBw,,&typo=1
> that a fix has been released and our current version appears to be later
> than that release.  I need to dispute that finding for compliance
> reasons but would like an official statement to show to the vendor
> concerning how Ubuntu handles these things.  I suspect the vendor is
> only checking the upstream major and minor version number rather than
> actually testing and thus concluding a "fail" erroneously.

2 good resources about versioning can be found here:

Debian versioning:

https://www.debian.org/doc/debian-policy/ch-controlfields.html#version

A blog entry from Robie basak, explaining Ubuntu versioning in details:

https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.justgohome.co.uk%2fblog%2f2015%2f01%2fubuntu-package-versions.html&c=E,1,zprTYA8GmUjXzAXeLr65RNOcLymTKv8YKDT_nujlxA3SOe_DX6kUSElH0CrHkbCHuc0GyhQSJi208QDtWUb0LbJ6sY26kt1ZXT010LxcYg,,&typo=1

A good way of making sure a version is greater than other is to execute:

dpkg --compare-versions 1ubuntu1.0-1 gt 1ubuntu1.0~1 && echo greater
than || echo less than

and check.
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: Is there an official statement about the Ubuntu package version identifier

2019-06-08 Thread Robie Basak 
Hi Leroy,

Some additions to what others have already said:

https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions points out "Sometimes
external security vendors doing software version scanning against Ubuntu
systems do not check actual package versions, leading to false positives
in their scan reports. For an authoritative source of what packages may
have outstanding vulnerabilities, the Ubuntu CVE Tracker can be
consulted."

The Ubuntu CVE Tracker at
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5387.html
says that the fix was released in package version "2.4.18-2ubuntu3.1"
(in Xenial, for example), and I believe this database reflects the
Ubuntu Security Team's official position. In addition it is confirmed in
the linked announcement https://usn.ubuntu.com/3038-1/ which certainly
is an official statement.

Is that is not sufficient for your needs, why isn't it?

Robie


signature.asc
Description: PGP signature
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: Is there an official statement about the Ubuntu package version identifier

2019-06-07 Thread Dimitri John Ledkov 
On Thu, 6 Jun 2019 at 20:04, Leroy Tennison  wrote:
>
> The reason I ask is I have a commercial vulnerability scanner reporting
as "fail" a test (for example, CVE-2016-5387)of our systems where
https://people.canonical.com/~ubuntu-security/cve/ states that a fix has
been released and our current version appears to be later than that
release.  I need to dispute that finding for compliance reasons but would
like an official statement to show to the vendor concerning how Ubuntu
handles these things.  I suspect the vendor is only checking the upstream
major and minor version number rather than actually testing and thus
concluding a "fail" erroneously.
>
>
> Harriscomputer


Ubuntu publishes it's CVE status in OVAL (https://oval.mitre.org/) which I
would expect a commercial vulnerability scanner to be able to parse.
https://people.canonical.com/~ubuntu-security/oval/ e.g.
com.ubuntu.xenial.cve.oval.xml.bz2 for xenial release.

>From xenial release data, it does contain definition for:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387"; />


The criteria that must be applied for this CVE on Ubuntu 16.04 Xenial
release are:


>  definition_ref="oval:com.ubuntu.xenial:def:100" comment="Ubuntu 16.04 LTS
> (xenial) is installed." applicability_check="true" />
> 
>  test_ref="oval:com.ubuntu.xenial:tst:20165387000" comment="apache2
> package in xenial was vulnerable but has been fixed (note:
> '2.4.18-2ubuntu3.1')." />
>  test_ref="oval:com.ubuntu.xenial:tst:20165387010" comment="apache2-bin
> package in xenial was vulnerable but has been fixed (note:
> '2.4.18-2ubuntu3.1')." />
>  test_ref="oval:com.ubuntu.xenial:tst:20165387020" comment="apache2-data
> package in xenial was vulnerable but has been fixed (note:
> '2.4.18-2ubuntu3.1')." />
>  test_ref="oval:com.ubuntu.xenial:tst:20165387030"
> comment="apache2-suexec-custom package in xenial was vulnerable but has
> been fixed (note: '2.4.18-2ubuntu3.1')." />
>  test_ref="oval:com.ubuntu.xenial:tst:20165387040"
> comment="apache2-suexec-pristine package in xenial was vulnerable but has
> been fixed (note: '2.4.18-2ubuntu3.1')." />
>  test_ref="oval:com.ubuntu.xenial:tst:20165387050"
> comment="apache2-utils package in xenial was vulnerable but has been fixed
> (note: '2.4.18-2ubuntu3.1')." />
> 
> 


Meaning that if those packages are installed, they need to be at least of
those versions. Granted I can see how actual version numbers are
basically freeform text in a commend field, but that is as official answer
as it gets. "was vulnerable but has been fixed".

Ditto similar for trusty release. So extracting the full xml paragraph
covering the CVE-2016-5387 is an adequate answer as to which set of
packages were affected, and which versions of them mitigate the CVE in
question.

-- 
Regards,

Dimitri.
-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Re: Is there an official statement about the Ubuntu package version identifier

2019-06-07 Thread Rafael David Tinoco 
Hello Leroy

On 06/06/2019 16:03, Leroy Tennison wrote:
> The reason I ask is I have a commercial vulnerability scanner reporting
> as "fail" a test (for example, CVE-2016-5387)of our
> systems where https://people.canonical.com/~ubuntu-security/cve/ states
> that a fix has been released and our current version appears to be later
> than that release.  I need to dispute that finding for compliance
> reasons but would like an official statement to show to the vendor
> concerning how Ubuntu handles these things.  I suspect the vendor is
> only checking the upstream major and minor version number rather than
> actually testing and thus concluding a "fail" erroneously.

2 good resources about versioning can be found here:

Debian versioning:

https://www.debian.org/doc/debian-policy/ch-controlfields.html#version

A blog entry from Robie basak, explaining Ubuntu versioning in details:

http://www.justgohome.co.uk/blog/2015/01/ubuntu-package-versions.html

A good way of making sure a version is greater than other is to execute:

dpkg --compare-versions 1ubuntu1.0-1 gt 1ubuntu1.0~1 && echo greater
than || echo less than

and check.

-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam

Is there an official statement about the Ubuntu package version identifier

2019-06-06 Thread Leroy Tennison 
The reason I ask is I have a commercial vulnerability scanner reporting as 
"fail" a test (for example, CVE-2016-5387)of our systems where 
https://people.canonical.com/~ubuntu-security/cve/ states that a fix has been 
released and our current version appears to be later than that release.  I need 
to dispute that finding for compliance reasons but would like an official 
statement to show to the vendor concerning how Ubuntu handles these things.  I 
suspect the vendor is only checking the upstream major and minor version number 
rather than actually testing and thus concluding a "fail" erroneously.


Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com


[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com


This message has been sent on behalf of a company that is part of the Harris 
Operating Group of Constellation Software Inc. These companies are listed 
here.

If you prefer not to be contacted by Harris Operating Group please notify 
us.



This message is intended exclusively for the individual or entity to which it 
is addressed. This communication may contain information that is proprietary, 
privileged or confidential or otherwise legally exempt from disclosure. If you 
are not the named addressee, you are not authorized to read, print, retain, 
copy or disseminate this message or any part of it. If you have received this 
message in error, please notify the sender immediately by e-mail and delete all 
copies of the message.




-- 
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam