Today a couple of buffer overflows in NTP were announced 1, 2. It looks like updating my system to fix these issues is in order.
How can I find out if they have been fixed in the Ubuntu repositories, such that if I were to run:
sudo apt-get update
sudo apt-get upgrade
then the fix would get installed and the vulnerability closed?
Edit: The selected answer specifically addresses the question of how to identify if a given CVE has been fixed or not, "Does Ubuntu generally post timely security updates?" 3 is certainly related but not identical
Best Answer
What you're looking for are Ubuntu Security Notifications and they are not clearly listed in the repositories. This page is the main Ubuntu Security Notifications listing.
As for individual packages, updates which address security fixes are in their own special repository, the
-securitypocket. Using Synaptic, you can switch to the "Origin" view, and see packages in theRELEASE-securitypocket.All CVEs are also listed in the Ubuntu Security Team's CVE tracker - with your specifically referenced CVE here. In the case of CVE-2014-9295 which you reference here, it has not yet been fixed.
Once an update is available, it will be detected by
sudo apt-get update; sudo apt-get upgradeonce it's released in the security repository.