As I said previously, sorry for the delayed response. This is perfect, I wasn't aware of the significance of the usn link on people.canonical.com, that is exactly what I am going to use in my reply to the scanning vendor. Thank you so much for your reply.
Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: [email protected] [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here<http://subscribe.harriscomputer.com/>. If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. ________________________________ From: Robie Basak <[email protected]> Sent: Saturday, June 8, 2019 10:21:19 AM To: Leroy Tennison Cc: [email protected] Subject: [EXTERNAL] Re: Is there an official statement about the Ubuntu package version identifier Hi Leroy, Some additions to what others have already said: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions points out "Sometimes SecurityTeam/FAQ - Ubuntu Wiki<https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions> wiki.ubuntu.com Official Support. What does official security support mean? Members of the Ubuntu Security team are Canonical employees who provide security updates for supported software in the Ubuntu distribution. Security updates are in part prioritized based on severity of impact, exploitability and number of affected users. external security vendors doing software version scanning against Ubuntu systems do not check actual package versions, leading to false positives in their scan reports. For an authoritative source of what packages may have outstanding vulnerabilities, the Ubuntu CVE Tracker can be consulted." The Ubuntu CVE Tracker at https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpeople.canonical.com%2f~ubuntu-security%2fcve%2f2016%2fCVE-2016-5387.html&c=E,1,mtiohJnCvZnc1CdM-uqJsHUu87cl5O7feXmhb2-KABP09OqyKeK-nTrjURx8SyXb98fX3TURYi66y-3u1PkXl-QLYFG8U-0536A0KBkHBg4zB07ShpE,&typo=1 says that the fix was released in package version "2.4.18-2ubuntu3.1" (in Xenial, for example), and I believe this database reflects the Ubuntu Security Team's official position. In addition it is confirmed in the linked announcement https://usn.ubuntu.com/3038-1/ which certainly is an official statement. Is that is not sufficient for your needs, why isn't it? Robie
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
