[ubuntu-hardened] Incorrect CVE?
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Feb 22 12:30:20 UTC 2023
Hi,
On 2023-02-21 10:49, Koen De Groote wrote:
> Greetings,
>
> I was checking CVEs for my Ubuntu 20.04 install and found this:
> https://ubuntu.com/security/CVE-2009-5080
> <https://ubuntu.com/security/CVE-2009-5080>
>
> The description says the vulnerability applies to the "groff" package, versions
> 1.21 and below.
>
> However, the default install of the "groff" package on Ubuntu 20.04 is version
> 1.22.4:
>
> $ dpkg --list | grep 'groff'
> ii groff-base 1.22.4-4build1 amd64
> GNU troff text-formatting system (base system components)
> $ sudo apt install --only-upgrade groff-base --dry-run
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> groff-base is already the newest version (1.22.4-4build1).
>
> Ubuntu 18.04 also has a more recent version:
>
> $ dpkg --list | grep 'groff'
> ii groff-base 1.22.3-10
> amd64 GNU troff text-formatting system (base system components)
>
> $ sudo apt install --only-upgrade groff-base --dry-run
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> groff-base is already the newest version (1.22.3-10).
>
>
> Does the CVE page need to be updated, or is something else wrong?
>
> Regards,
> Koen De Groote
The CVE description is wrong, it looks like the issues were fixed in 1.22.4, so
Ubuntu 20.04 LTS is fixed, but Ubuntu 18.04 LTS still needs to be fixed.
I've updated our CVE tracker accordingly.
Thanks,
Marc.
More information about the ubuntu-hardened
mailing list