Ubuntu
traceroute package

My scanning service says I have a vulnerability with traceroute.

Asked by John

Im trying to upgrade to latest traceroute but command response says I have latest, which is the version with the vulnerability USN-6478-1: Traceroute vulnerability. Is there another repo with the latest patched version?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu traceroute Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
John (jccompfix) said : 		#1

My version is traceroute 1:2.1.0-2ubuntu0.20.04.1~esm1 (installed version: 1:2.1.0-2)

Revision history for this message
Manfred Hampl (m-hampl) said : 		#2

The strategy for dealing with CVE errors in Ubuntu usually is not an upgrade to a higher version of the software, but correcting the problem in the older version with an appropriate patch.

If you have traceroute version 1:2.1.0-2ubuntu0.20.04.1~esm1 installed, then you are not vulnerable.
see https://ubuntu.com/security/notices/USN-6478-1 and https://ubuntu.com/security/CVE-2023-46316

"My scanning service says ..."
I assume that the "scanning service" that you use, looks just at the version number and deems everything below 2.1.3 vulnerable, even if the version in Ubuntu has already been patched.

For diagnostic purposes, what output do you receive for the command
apt policy traceroute

Can you help with this problem?

Provide an answer of your own, or ask John for more information if necessary.

To post a message you must log in.