How can I tell if an issue has been resolved via backporting?

Ricky

6/7/24, 10:50 PM

I have a couple of 22.04.2 LTS servers running Apache 2.4.52, These systems are both only about 6 months old (built via GCP). A security scanner shows several Apache-related vulnerabilities on both systems, the specific CVEs being:

CVE-2022-22720
CVE-2022-23943
CVE-2022-31813
CVE-2023-25690

With the CVE shows that Apache 2.4.52 and earlier are impacted and gives the recommendation to update to a more recent version of Apache to resolve. When I check apt list --upgradable on my system, I see no updates available.

Is this a possible repository issue, or has the issue been resolved via backporting?

I attempted to look up info for CVE-2022-22720 to try and determine if it was still vulnerable. I used the following link: https://ubuntu.com/security/cves?q=CVE-2022-22720

Besides the 22.04 LTS entry shows "released", and clicking on the link goes to the page which shows my release type "Jammy" and then "Released (2.4.52-1ubuntu2)" Which is the current version of Apache I show as installed. Does this mean this fix has been backported?

I suppose I do not have a full grasp on backporting. If a fix for a CVE above has been backported does that mean the issue has been resolved even though the version still shows as vulnerable from our scanner? If so, how do I go about verifying so I can prove this to the entity that is scanning and reporting the problem? Thanks!

692

1 + 2

apt

backport

vulnerability

waltinator

6/7/24, 11:56 PM

Read `man apt`. The `apt changelog` command will tell you.

marcelm

6/8/24, 11:51 AM

See also [How do I update apache2 to the latest version on Debian jessie?](https://unix.stackexchange.com/a/404117/109651) - it's about Debian, but since Ubuntu is based on Debian most of it applies here.

Score:7

Ubuntu

user535733

6/7/24, 11:52 PM

These are common questions.

"Released (2.4.52-1ubuntu2)" Which is the current version of Apache I show as installed.

Does this mean this fix has been backported or not?

It means that the CVE has been mitigated (patched, fixed) in the installed package. That mitigated package is no longer vulnerable to the exploit.

It does not mean that the mitigation was necessarily done by backporting any software. There are various methods, backporting is merely one among many.

does that mean the issue has been resolved even though the version still shows as vulnerable from our scanner?

Yes, that's exactly what it means. Ubuntu has released an updated package that is NOT vulnerable to the CVE...and you have installed it.

Patching vulnerabilities in a current version instead of bumping to a higher version is how Debian has handled CVEs for over 20 years (and Ubuntu for all 19 years). It's a long-accepted practice.

If your scanner cannot handle the most-common practice (for decades!) of CVE mitigation in Debian and Ubuntu, then it might arguably be time to look into a better scanner vendor.

+ 1

Ricky

6/8/24, 3:16 AM

Thank you @user535733! That's exactly what I needed!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I tell if an issue has been resolved via backporting?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.