About CVEs

The Common Vulnerabilities and Exposures (CVE) system is used to identify, define, and catalogue publicly disclosed cybersecurity vulnerabilities. Canonical keeps track of all CVEs affecting Ubuntu, and releases a security notice when an issue is fixed.

In our CVE database, you can check which packages are affected by a given vulnerability for every supported Ubuntu version, and their statuses. We may also provide notes that can help you to better understand the impact of these vulnerabilities in an Ubuntu environment, and how we have fixed the issue.

Getting security updates

Ubuntu Long Term Support (LTS) releases get up to 12 years of security maintenance and support. The initial 5 years of standard security updates for packages in the Ubuntu Main repository comes out of the box together with fixes for packages in the Ubuntu Universe repository coming from the Ubuntu community and Debian.

Additional security coverage from Canonical for all packages in Main and Universe is provided through an Ubuntu Pro subscription for 10 years. Ubuntu Pro is free for personal use on up to 5 machines, or 50 machines for active Ubuntu community members. A further 2 years of security maintenance and support is provided with the paid Legacy Support add-on.

Automatic updates

Since 16.04 LTS, Ubuntu releases automatically apply most security updates daily by default. If you are using a release older than 16.04 LTS, you can enable unattended upgrades.

Update manually

You can also get patches as soon as they become available by upgrading all your installed packages to the latest version. You can do this by running the following command in your terminal:

sudo apt update && sudo apt upgrade

We recommend not to cherry-pick updates from individual packages. If no fix is available yet for a specific CVE, you can check if there is any mitigation or further information in the notes of the CVE page.

Get advanced security coverage with Ubuntu Pro

On top of the five years of free standard support for LTS releases, you can get Expanded Security Maintenance (ESM) with an Ubuntu Pro subscription. ESM provides 10 years of security updates for Ubuntu Main packages and 23,000+ Ubuntu Universe packages, including additional security updates from Canonical for critical and high priority CVEs. Ubuntu Pro is free for personal use on up to 5 machines, or 50 machines for active Ubuntu community members.

Ubuntu Pro also includes live kernel patching with Livepatch, FIPS compliant security updates, extended support for ROS, and more.

Fix a specific CVE with the Ubuntu Pro Client

If you want to get the fixes for a specific CVE, make sure you have the Ubuntu Pro Client installed, updated and set up. Then run this command on your terminal, replacing CVE-YYYY-XXXX with a valid CVE ID:

sudo pro fix CVE-YYYY-XXXX

Repositories

Security updates get distributed through several repositories. Some of them are public and freely available, while some others require an Ubuntu Pro subscription.

Freely available

main, restricted These public repositories provide five years of security updates for Ubuntu base packages, which form the basis of the Ubuntu distribution.
universe, multiverse These public repositories provide five years of best-effort security updates for community packages. Best-effort fixes include fixes provided by the Ubuntu community and Debian.

Require Ubuntu Pro

esm-infra This repository provides ten years of security updates for packages in the main and restricted repositories.
esm-apps This repository provides ten years of security updates by the Ubuntu Security team for packages in the universe and multiverse repositories, on top of best-effort fixes.

We also maintain these repositories for more specific use cases, available
with Ubuntu Pro:

fips This repository provides FIPS-certified packages.
fips-updates This repository provides FIPS-compliant packages, based on FIPS certified packages but with security updates by the Ubuntu Security team. These packages may be certified in the future.
ros This ROS ESM repository provides ten years of security updates for ROS core packages.
ros-updates This ROS ESM repository provides ten years of non-security updates for ROS core packages.

Priority levels

The Ubuntu Security team reviews new vulnerabilities when they are identified. If they affect packages distributed with supported Ubuntu releases, the team assesses the impact and assigns a priority level. Vulnerabilities are then addressed in order of priority level.

The Ubuntu priority is based on many factors including severity, importance, risk, estimated number of affected users, software configuration, active exploitation, and other factors which may adjust the impact of certain vulnerabilities such as Ubuntu's proactive security features.

Here are the guidelines that we generally use to assess the Ubuntu priority of a CVE. There may be cases in which we assign a priority level based on factors not accounted for in these guidelines. These priority levels are distinct from other published severity levels such as CVSS base scores, either ours or from other sources such as those used in the National Vulnerability Database (NVD). Learn more about how we prioritise CVEs.

Critical A very damaging problem, typically exploitable for nearly all users in a default installation of Ubuntu. Includes remote root privilege escalations, remote data theft, and massive data loss.
High A significant problem, typically exploitable for nearly all users in a default installation of Ubuntu. Includes serious remote denial of service, local root privilege escalations, local data theft, and data loss.
Medium A significant problem, typically exploitable for many users. Includes network daemon denial of service, cross-site scripting, and gaining user privileges.
Low A security problem, but hard to exploit due to the environment, requires a user-assisted attack, has a small install base, or does very little damage. These tend to be included in security updates only when higher priority issues require an update or if many low priority issues have built up.
Negligible Technically a security problem, but only theoretical in nature, requires a very special situation, has almost no install base, or does no real damage. These typically will not receive security updates unless there is an easy fix and some other issue causes an update.

CVSS security scores

Besides assigning a priority level to each CVE, we may provide a CVSS security score. The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS is not a measure of risk.

Statuses

When a new vulnerability is disclosed, we provide statuses for every package in every supported version. The status reflects if the vulnerability affects the package, and Ubuntu Security team’s work to address it.

In the CVE search, you will see a summarised status that aggregates the information for every package and Ubuntu release. We do our best to make this summary representative of the status of the whole CVE. However, we recommend that you double check the status in the individual CVE page for the specific packages and Ubuntu releases you are interested in.

Needs evaluation The vulnerability of this package is not known for the given release. It needs to be evaluated.
Not affected The package, while related to the CVE in some way, is not affected by the issue for the given release. We usually provide an explanation, either next to the status or in the notes.
Vulnera­ble The package is affected by the issue for the given release.
Vulnera­ble, work in progress The package is affected by the issue for the given release, and the Ubuntu security team is currently working on a fix.
Vulnera­ble, fix deferred The package is affected by the issue for the given release, but fixing has been deferred. We usually provide an explanation, either next to the status or in the notes.
Fixed The package was affected by the issue for the given release, but a version fixed by the Ubuntu Security team is now available. We usually indicate the package version that contains the patch.
Ignored The package, while related to the CVE in some way for the given release, won’t be fixed. This could be because the package is no longer supported, the CVE has been withdrawn, or fixing the issue would break other functionality. We usually provide an explanation, either next to the status or in the notes.
Not in release The package is not part of the given release.

Exporting CVE data

You can export our CVE data in two structured formats:

Ubuntu OVAL (recommended)

Structured, machine-readable XML dataset for all supported Ubuntu releases, based on the Open Vulnerability and Assessment Language (OVAL). It can be used to evaluate and manage security risks related to any existing Ubuntu components.

Documentation for Ubuntu OVAL ›

Ubuntu Security API

The Ubuntu Security API is still a work in progress and subject to change. Please don’t use it in production environments or automations.

Open JSON API that provides endpoints for our CVE database and the Ubuntu Security Notices (USN). You can find links to the JSON endpoints in the search pages and the individual CVE pages.

Documentation for the Ubuntu Security API ›