On 04/02/17 10:16, Robie Basak wrote: > Therefore you > cannot use the upstream version number as an indicator of whether > security vulnerabilities exist or not in any distribution package. >
To expand again for this particular instance, the package can be checked at (e.g.): http://packages.ubuntu.com/xenial/tcpdump The changelog is linked in the right-hand menu, for which the latest entry is: > tcpdump (4.7.4-1ubuntu1) wily; urgency=low > > * Merge from Debian unstable. (LP: #1460170) Remaining changes: > - debian/{control, README.Debian, tcpdump.dirs, usr.sbin.tcpdump, > install, rules, patches/patches/90_man_apparmor.diff}: > + Add AppArmor profile. > - debian/usr.sbin.tcpdump: > + Allow capability net_admin to support '-j'. > - Drop 60_cve-2015-2153-fix-regression.diff: upstream > > -- Gianfranco Costamagna <costamagnagianfra...@yahoo.it> Fri, 29 May 2015 > 20:13:33 +0200 Hence the repo version is vulnerable to various CVEs (e.g. https://www.debian.org/security/2017/dsa-3775, and one example specifically for < 4.9.0: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7936). J -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss