[neic]

I see that Ubuntu 16.04 LTS have version 7.47.0 [1]. Its been 9 months, 9 releases and at least 15 CVEs since then. I can also see that some of the CVEs was reported to distros@openwall [2]. I (naively) assumed that once this was reported, the package maintainers would update the packages, push a release at the same time as the original developer made a public statement. Then I could just update my system and be done with it.

Where is the fault in this chain? How can I as a maintainer of a few servers be sure my servers are secure without manually patching every package?

[1] http://packages.ubuntu.com/xenial/libcurl3 [2] http://oss-security.openwall.org/wiki/mailing-lists/distros

EDIT: changed "12 CVEs" to "at least 15 CVEs". The changelog don't have CVE-numbers in the title for all of them.

[hannob]

It's the concept of LTS distributions to stick with one version and only patch important bugfixes and security vulnerabilities.

So if the Ubuntu security team does its job properly then you shouldn't have a reason to worry.

(However given the number of security vulns these days it's often challenging for LTS distributions to backport all security fixes. There are already breakdowns of the LTS concept, e.g. sticking with latest upstream versions for some packages like chromium where backporting is not realistic.)

[anglebracket]

Yep, you can see that Ubuntu has been backporting security fixes: https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.1

[0x0]

Debian similarly is backporting security fixes.

You can see the status of all known CVEs and which .deb updates patches them here: https://security-tracker.debian.org/tracker/source-package/c...

The best way to stay on top of things is to subscribe to your distro's security advisory mailing list, for example https://lists.debian.org/debian-security-announce/

[geofft]

If you go to the "Ubuntu Changelog" link on the right, you can see that they've backported three security fixes (CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421) since the 16.04 LTS release.

You are trusting Ubuntu's judgment that the remaining 12 CVEs aren't that important. Ubuntu's security team is pretty good, but I don't think there is any distro that is extremely good. In part this is because a distro is on the hook for compatibility of all the software they ship, and expected to prioritize compatibility over security. Anything other than targeted security fixes can cause regressions.

[sdeziel]

You can get an overview of the various CVEs affecting curl: https://people.canonical.com/~ubuntu-security/cve/pkg/curl.h...