[ubuntu-hardened] Tooling question about collecting changelog info for security updates

Mike McCracken (mikmccra) mikmccra at cisco.com
Fri May 31 22:05:28 UTC 2024 

Hi, I am wondering if there is already a tool to generate this kind of report about 
CVE-driven and other security fixes in the archive:

I have container images based on ubuntu being built at regular intervals, and 
we are updating all packages to get the latest security updates at image build time.
In order to be able to tell if a build of my images has a given fix, I produce a list
of all packages that were installed and their versions.

What I would like to do is given two such lists, get all the changelogs (or just CVE IDs)
for each update that happened between those lists.

So for example using recent jammy releases of git:
at Time T, I build an image that has a list including git like this:

```
git 1:2.34.1-1ubuntu1.9
```

and then Time T+1 I rebuild and get a git that's two package releases newer:

```
git 1:2.34.1-1ubuntu1.11
```

Then I want to be able to produce a file where I get the logs for each increment of the package
between those version

```
# git
1:2.34.1-1ubuntu1.9 - 1:2.34.1-1ubuntu1.11

## 1:2.34.1-1ubuntu1.10 changes

 git (1:2.34.1-1ubuntu1.10) jammy; urgency=medium
.
* Fix issue where untracked files are not recovered during a stash
pop/apply operation when a merge conflict is present. Untracked
files are now correctly restored regardless if a conflict is
present or not. (LP: #2026319)
- d/p/lp-2026319-stash-do-not-return-before-restoring-untracked-files.patch

## git (1:2.34.1-1ubuntu1.11) jammy-security; urgency=medium
.
* SECURITY UPDATE: Facilitation of arbitrary code execution
- debian/patches/CVE-2024-32002.patch: submodule paths
must not contains symlinks in builtin/submodule--helper.c.
- CVE-2024-32002

...etc
```

This info is available on launchpad easy enough for manual looking,
but it doesn't seem to be exposed in a straightforward way
for scripting to automate the whole list. So I thought I'd ask if anyone
has already tackled this, or knows of a better way to get this info,
and then I can just use their work and praise their name.

Thanks!
-mike

More information about the ubuntu-hardened mailing list