Use pro fix
to solve a CVE/USN#
The Ubuntu Pro Client (pro
) can be used to inspect and resolve
Common Vulnerabilities and Exposures (CVEs) and
Ubuntu Security Notices (USNs) on your machine.
Every CVE/USN is fixed by trying to upgrade all of the affected packages described by the CVE or USN. Sometimes, the package fixes can only be applied if an Ubuntu Pro service is already enabled on your machine.
In this tutorial, we will introduce the pro fix
command and guide
you through a simple example of using it to solve a CVE/USN.
There might be more scenarios that you may encounter using pro fix
,
but those are distracting from this tutorial and therefore available
in the separate
How to Understand scenarios encountered using pro fix to solve a CVE/USN.
Install Multipass#
In this tutorial, we will use a Xenial Multipass virtual machine (VM) to avoid making any modifications to your machine. We have chosen Multipass for this tutorial because it allows us to easily launch VMs without requiring any complicated setup.
To install Multipass on your computer, run the following command on your machine:
$ sudo snap install multipass
Create the Xenial Multipass VM#
Now that we have installed Multipass, we can launch our Multipass VM by running this command:
$ multipass launch xenial --name dev-x
Now we can access the VM by running the command:
$ multipass shell dev-x
Notice that when you run this command, your terminal username and hostname change to:
ubuntu@dev-x
This indicates that you are now inside the VM.
Finally, let’s run apt update
and apt upgrade
on the VM to make sure we
are operating on the correct version of Xenial:
$ sudo apt update && sudo apt install ubuntu-advantage-tools
From now on, every time we say: “run the command” our intention is for you to run that command inside your VM.
Use pro fix
#
Every pro fix
output has a similar output structure. It:
describes the CVE/USN;
displays the affected packages;
fixes the affected packages; and
at the end, shows if the CVE/USN is fully fixed in the machine.
This is best demonstrated in a pro fix
call that does fix a package.
Therefore let us install an older package on the VM that we know is associated with CVE-2020-25686. You can install the package by running these commands:
$ sudo apt update
$ sudo apt install dnsmasq=2.75-1
Now, let’s run pro fix
on the CVE:
$ sudo pro fix CVE-2020-25686
You will then see the following output:
CVE-2020-25686: Dnsmasq vulnerabilities
https://ubuntu.com/security/CVE-2020-25686
1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y dnsmasq }
✔ CVE-2020-25686 is resolved.
Note
We need to run the command with sudo
because it will be installing a
package on the system.
Whenever pro fix
has a package to upgrade, it follows a consistent
structure and displays the following, in this order:
The affected package
The availability of a fix
The location of the fix, if one is available
The command that will fix the issue
Also, at the end of the output you can see confirmation that the CVE was fixed
by the command. Just to confirm that the fix was successfully applied, let’s
run the pro fix
command again, and we should now see the following:
CVE-2020-25686: Dnsmasq vulnerabilities
https://ubuntu.com/security/CVE-2020-25686
1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
The update is already installed.
✔ CVE-2020-25686 is resolved.
Success!#
Congratulations! You successfully ran a Multipass VM and used it to encounter
and resolve a CVE by using pro fix
.
Close down the VM#
When you are finished and want to leave the tutorial, you can shut down the VM by first pressing CTRL + D to exit it, and then running the following commands to delete the VM completely:
$ multipass delete dev-x
$ multipass purge
Next steps#
We have successfully encountered and resolved the main scenarios that you might
find when you run pro fix
.
This is not the only scenario where you might want to use pro fix
. To find out about the other situations where it can be useful, as well as which options can be used to give you greater control over the command, you can refer to the following guides:
In Understanding scenarios encountered when using pro fix to solve a CVE/USN you can continue using the test environment you created here to explore different scenarios you might encounter and understand the different outputs you will find.
How do I know what the pro fix command would change? will show you how to use
pro fix
in--dry-run
mode to safely simulate the changes before they’re applied.How to skip fixing related USNs will show you how to only fix a single USN, even if other fixes are available.
If you need more information about this, please feel free to reach out
to the Ubuntu Pro Client team on #ubuntu-server
on
Libera IRC – we’re happy to help!
Alternatively, if you have a GitHub account, click on the “Give feedback” link at the top of this page to leave us a message. We’d love to hear from you!