Hi Srdjan, Thanks for taking the time to report this issue and help making Ubuntu better.
The USN you mentioned, applied the fix to the source package libidn2 (https://packages.ubuntu.com/source/bionic/libidn2) You can see on the mentioned page that this source package generates multiple binary packages, including: idn2 and libidn2-0. So, on the USN page that you mentioned we are referring to those binary packages, but on the CVE page we are only dealing with source package names. So we already have the released in the lines for libidn2. The lines that you are referring that are marked as DNE, is for the libidn2-0 source package (https://packages.ubuntu.com/source/xenial/libidn2-0), which only exists on Ubuntu Xenial (16.04) and Trusty (14.04), and that's why it is marked as DNE (Do Not Exist) in the CVE page. So this is just a confusion between source packages and binary packages. Binary packages is what you install on a apt-get install command. Source packages is where we apply the fix, and where the binary packages will be generated from. Hope I didn't get you more confused on this. Thanks ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855768 Title: Ubuntu-security CVE-2019-18224 web page shows incorrect info about libidn2-0 status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1855768/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
