Hello Leroy On 06/06/2019 16:03, Leroy Tennison wrote: > The reason I ask is I have a commercial vulnerability scanner reporting > as "fail" a test (for example, CVE-2016-5387)of our > systems where https://people.canonical.com/~ubuntu-security/cve/ states > that a fix has been released and our current version appears to be later > than that release. I need to dispute that finding for compliance > reasons but would like an official statement to show to the vendor > concerning how Ubuntu handles these things. I suspect the vendor is > only checking the upstream major and minor version number rather than > actually testing and thus concluding a "fail" erroneously.
2 good resources about versioning can be found here: Debian versioning: https://www.debian.org/doc/debian-policy/ch-controlfields.html#version A blog entry from Robie basak, explaining Ubuntu versioning in details: http://www.justgohome.co.uk/blog/2015/01/ubuntu-package-versions.html A good way of making sure a version is greater than other is to execute: dpkg --compare-versions 1ubuntu1.0-1 gt 1ubuntu1.0~1 && echo greater than || echo less than and check. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
