I'm using Ubuntu 20.04.3 LTS (focal)
with XFCE DE
, on a AMD 64-bit
machine. When I did apt
upgrade today, the package: libcaca0
was upgraded as below:
Unpacking **libcaca0:amd64 (0.99.beta19-2.1ubuntu1.20.04.2)** over **(0.99.beta19-2.1ubuntu1.20.04.1)**
I just googled out of curiosity to see what this package does & encountered this page: https://ubuntu.com/security/notices/USN-5119-1
It says that there is a known security vulnerability in this package & need to be upgraded to: libcaca0 - 0.99.beta19-2.2ubuntu2.1
, in order to mitigate it. However, as you can see, apt
only upgrades to the version 19-2.1
.
I tried to upgrade the particular package only, using
sudo apt-get --only-upgrade install libcaca0
but, it says libcaca0 is already the newest version (0.99.beta19-2.1ubuntu1.20.04.2).
.
This page says that there's no fix available till 2021-10-13:
https://ubuntu.com/security/CVE-2021-30499
However, as per this page, ver: 19.2.2
has been released on 2021-03-20.
https://launchpad.net/debian/+source/libcaca/0.99.beta19-2.2
And, the download seems to be available at:
https://launchpad.net/ubuntu/+source/libcaca/0.99.beta19-2.2ubuntu1.1
(I noticed that the release confirmation page belongs to Debian, while the download page points to Ubuntu. I believe, both the release & download pages will be available for both distros. So, the question is not about that.)
My question
If the package version is available for download (for Ubuntu)? Why apt
couldn't upgrade to it? Is it because of some approval pending? If so, why there's a download available?
My intention is not to complain, but rather to scrutinize/understand the generic process/reason & what to do in this/these kind of situations - like:
- whether to download the available tar & install, or to wait for
apt
version to be available,
- shouldn't the users be notified of such issues (esp. on security vulnerabilities), or is it not possible at all,
- if the package has a vulnerability, why even the apt upgrade recommends it (and, is it not possible to remove it until a fix is available - of course, provided an alternative package is available to meet other dependencies)
- etc.
And, if possible, some expert notes on the technicalities of the vulnerability, how/why it is caused, etc [I know.. I should look it up myself.. but, still! :) ]. Even though I'm using it for quite sometime now, I'm relatively new to Linux & not yet even a core user - leave alone a contributor.