CVEs and USNs explained

What is a CVE

Common Vulnerabilities and Exposures (CVEs) are a way to catalogue and track public security vulnerabilities for a given software. Every CVE is identified through a unique identifier, for example CVE-2023-0465.

CVEs are maintained by the MITRE Corporation and the goal of the project is to provide naming conventions for the public known security issues while also maintaining a centralised repository for all of the security issues. This makes it easier for an organisation to submit a new security flaw though the CVE convention while also analysing any other existing CVEs in the database.

You can search for any existing CVE related to Ubuntu using the Ubuntu CVE page.

What is a USN?

An Ubuntu Security Notice (USN) is the way that Canonical publicly catalogues and displays security vulnerabilities for Ubuntu packages. Usually, a USN is composed of one or more [CVEs](#what-is-a-cve) and it also contains update instructions to fix the issue, if a fix is already available.

USNs follow a naming convention of the format USN-5963-1.

You can search for any existing USN using the Ubuntu Security Notices page.

What are related USNs?

A USN is composed of different CVEs. If the same CVE appears on multiple USNs, we say that those USNs are related.

In the following image, we can see a visual representation of that concept, where USN-789 and USN-321 are related USNs because both are affected by CVE-2:

graph TD; %% nodes usn1[USN-123] usn2[USN-456] usn3[USN-789] usn4[USN-321] usn5[USN-654] cve1((CVE-1)) cve2((CVE-2)) cve3((CVE-3)) %% arrows usn1-->cve1 usn1-->cve2 usn1-->cve3 cve1-->usn2 cve2-->usn3 cve2-->usn4 cve3-->usn5

A real example can be seen in USN-5573-1. In the section Related notices, it shows that both USN-5570-1 and USN-5570-2 are related to USN-5573-1.

This information is useful for users that want to tackle all related USNs at once, making sure that a CVE is fully fixed on their Ubuntu machine.