-3

https://ubuntu.com/security/CVE-2023-32629

If you look at the link above, it says that there are no vulnerabilities from the above based on focal, and that focal(20.04) has been released starting from kernel version 5.4.0-155.172.

Based on the above, can we say that only 20.04 corresponds to that CVE, and since it was released in 5.4.0-155.172, versions prior to 5.4.0-155.172 are considered vulnerable?

For example, I wonder if version 5.4.0-107-generic corresponds to CVE-2023-32629!

It is easy to check kernel vulnerabilities from the link below, but it is difficult to check kernel vulnerabilities supported by Ubuntu, so I am asking this question. (https://www.linuxkernelcves.com/streams/5.4)

If you have a link where I can view this information more easily, please forward it to me.

Thank you for answer! The translation was sloppy so the content has been modified. sorry.

https://ubuntu.com/security/CVE-2023-32629 Does that mean the focal release in the link above is a single kernel package?

I appreciate the security patch you provided, but I would like to check if version 5.4.0-107-generic has a CVE.

It doesn't come up when I search, but I was wondering if this was true or if there was a way to check it separately, so I asked this question!

Do I have to read every security patch article one by one?

The security patch provided as an example seems confusing because it does not say whether 5.4.0 is included or not.

2

1 Answer 1

Reset to default
1

I don't really understand your question.

But I think maybe your question is, if a single kernel patch relates to a single CVE.

In that case, no. When a new patch is released for Ubuntu, the developers take in relevant patches, both CVEs and other relevant upstream patches.

So a single kernel release typically includes several CVEs, but it might also be "just" an update release with no CVEs.

The Ubuntu Security notices inform you about which CVEs are included in which kernels.

Take this release from September 5th as an example.

Another option is that you can explore the kernel source changelog directly, and search for a specific kernel version.

If you find the Linux source package for Focal, click Ubuntu changelog on the right.

Now search for the version you want to check (e.g. 5.4.0-107). Here you can see exactly which patches and CVEs were included in this release.

Also, please see existing Q&A about the same topic.

4
  • How is it confusing? It affects Ubuntu 20.04 and 22.04, and the kernel versions are very specific. Also, if you don't trust the security team to do their job, your only other option is to patch and recompile kernel yourself. Again, what's your specific question???
    – Artur Meinild
    Commented Sep 18, 2023 at 6:28
  • I wonder if the only way to confirm that there is a CVE version corresponding to 5.4.0-107-generic is to go through the security patch posts one by one and check them, as shown in the comment above.
    – c0rvus
    Commented Sep 18, 2023 at 6:38
  • Rather than seeing what CVEs this kernel has been patched for, I want to see what CVEs this kernel is currently exposed to.
    – c0rvus
    Commented Sep 19, 2023 at 9:52
  • I don't think you can have a complete list of all CVEs that are NOT patched in a given kernel version.
    – Artur Meinild
    Commented Sep 19, 2023 at 11:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .