-1

In the CVE tracker page, what does the empty field mean?

For example, in this link: https://ubuntu.com/security/cves?q=CVE-2016-5696

Is the CVE not applicable to 20.04 LTS, or was its risk not evaluated in this version or end of life?

Improve this question
4
  • The long hyphen — character in the empty fields of the CVE tracker page is referred to an em dash character. Commented Oct 10, 2023 at 13:36
  • Notice that the em-dash appears for releases following an "end state" transition, such as "Not vulnerable", "Does not exist", or "Released" which applies to subsequent releases. Commented Oct 10, 2023 at 13:55
  • Thank you for your reply ! So if a fix was released in Ubuntu 18.04 LTS, it will be present in ubuntu 20.04 and all the following releases ? Are vulnerability patches cumulative ? Commented Oct 10, 2023 at 14:46
  • You are looking at the page of search results. Click on the actual CVE page among the search results. Commented Oct 10, 2023 at 15:27

1 Answer 1

Reset to default
2

The em dash — characters in some columns of the CVE-2016-5696 table and other CVE tracker webpages mean that no results were reported for that release of Ubuntu where the column headings identify these columns as different releases of Ubuntu like 18.04, 20.04, 22.04, 23.04, 23.10 and 24.04. It's possible that Ubuntu version yy.mm is vulnerable to the CVE, but we haven't been informed of that in the CVE tracker table because it is not reported. It's also possible that the bug was fixed in later versions of Ubuntu.

LTS after a release version stands for Long Term Support (5 years). ESM after a release version stands for Extended Security Maintenance of an additional 5 years after the 5 years of LTS support has ended.

Improve this answer
4
  • So i can consider that if an em dash is present in the CVE field for ubuntu version N, it is not vulnerable to the CVE? I was wondering if it meant end of life for security support but the component could still be vulnerable Commented Oct 10, 2023 at 14:50
  • 1
    It's possible that Ubuntu version N is vulnerable to the CVE, but we haven't been informed of that in the CVE tracker table because it is not reported. It's also possible that the bug was fixed in later versions of Ubuntu. Commented Oct 10, 2023 at 15:00
  • 1
    @DenLi This is where you might want to read the page for the CVE itself and see what "affected versions" there are. If it's already been patched and included in Upstream and Ubuntu releases, chances are they stop tracking after that point because its fixes are already included. Which is the case for a lot of old CVEs like the one there. You have a specific example in another post by you - CVE-2017-6519. I answered that thread giving you a deep-dive into how I'd dissect and analyze it, rather than using that 'returned table' from the search itself. Commented Oct 10, 2023 at 15:06
  • Thank you for your detailed answer. Of course, i checked the CVE page. I just didn't understand the security release process yet Commented Oct 10, 2023 at 16:00

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.