• Logo
    Ubuntu Pro
  • Forum
  • Ubuntu Pro FAQ
  • Pro services
    • Expanded Security Maintenance (ESM)
    • Livepatch
    • FIPS 140-2
    • Ubuntu Security Guide (USG)
    • CIS benchmarking
    • Common Criteria EAL2
    • ROS ESM
    • Real-time kernel
Contents Menu Expand Light mode Dark mode Auto light/dark mode
Ubuntu Pro Client documentation
Ubuntu Pro Client documentation
  • Tutorials
    • Introduction to the Pro Client commands
    • Explore your system's security with Pro
    • Create an Ubuntu FIPS Docker image
    • Host your own APT news
  • How-to guides
    • Attach...
      • How to attach
      • How to simulate attaching
      • How to attach with a configuration file
    • Enable...
      • Anbox Cloud
      • CC EAL
      • CIS or USG
      • ESM-Infra and ESM-Apps
      • ESM-Infra Legacy on Trusty
      • FIPS
      • Landscape
      • Livepatch
      • Real-Time Ubuntu
    • Fix vulnerabilities...
      • Is my system affected by this specific CVE?
      • Resolve a single CVE or USN
      • Discover what the `fix` command would change
      • Skip fixing related USNs
      • Better visualise results when fixing multiple CVEs
    • Use the Client...
      • Check Ubuntu Pro Client version
      • Display APT News
      • Configure a timer job
      • Update MOTD and APT messages
      • How to use custom APT configuration
    • Configure a proxy
    • Configure TLS-in-TLS proxy
    • Collect data logs for bug reporting
    • Get rid of corrupted locks
    • Enable Ubuntu Pro services in a Dockerfile
    • Create a customised Cloud Ubuntu Pro image
    • Cloud Ubuntu Pro images with FIPS updates
  • Explanation
    • Pro-related APT messages
    • Pro-related MOTD messages
    • What does security-status do?
    • How to interpret the output of unattended-upgrades
    • The pro status output explained
    • What pro refresh does
    • Disabling and purging services
    • About Public Cloud Ubuntu Pro images
    • What is the ubuntu-pro-auto-attach package?
    • CVEs and USNs explained
    • Common scenarios when using pro fix to solve a CVE/USN
    • How to interpret the output of the fix plan API endpoint
    • Which services are for me?
    • About ESM, esm-apps and esm-infra
    • Timer jobs explained
    • Using Ubuntu Pro airgapped
    • What is the Pro daemon?
    • Errors you may encounter and their meaning
    • Ubuntu Pro Client feature deprecation policy
    • What data is collected from active Ubuntu Pro machines?
    • Machine counts and token usage for Ubuntu Pro
  • Reference
    • CLI reference guide
    • API reference guide
    • Network requirements
    • Personal Package Archives (PPAs)
    • Support matrix
    • Compatibility matrix
Back to top

How to skip fixing related USNs#

The general scenarios you might encounter when running pro fix are outlined in our explanation of using pro fix to solve a CVE/USN.

When running the pro fix command for a USN, by default we also try to fix any related USNs as well. To better understand the concept of related USNs, you can refer to our related USNs guide. To make this clear, let’s take a look into the following example:

USN-5573-1: rsync vulnerability
Associated CVEs:
  - https://ubuntu.com/security/CVE-2022-37434

Fixing requested USN-5573-1
1 affected source package is installed: rsync
(1/1) rsync:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y rsync }

✔ USN-5573-1 is resolved.

Found related USNs:
- USN-5570-1
- USN-5570-2

Fixing related USNs:
- USN-5570-1
No affected source packages are installed.

✔ USN-5570-1 does not affect your system.

- USN-5570-2
1 affected source package is installed: zlib
(1/1) zlib:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y zlib1g }

✔ USN-5570-2 is resolved.

Summary:
✔ USN-5573-1 [requested] is resolved.
✔ USN-5570-1 [related] does not affect your system.
✔ USN-5570-2 [related] is resolved.

We can see here that the pro fix command fixed the requested USN-5573-1 while also handling both USN-5570-1 and USN-5570-2, which are related to the requested USN.

If you don’t want to fix any related USNs during the fix operation, you can use the --no-related flag. By running the command pro fix USN-5573-1 --no-related we would get the following output instead:

USN-5573-1: rsync vulnerability
Associated CVEs:
  - https://ubuntu.com/security/CVE-2022-37434

Fixing requested USN-5573-1
1 affected source package is installed: rsync
(1/1) rsync:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y rsync }

✔ USN-5573-1 is resolved.

Comparing this output to the previous one, we can see that we have not analysed or tried to fix any related USNs.

Next
How to better visualise the result when fixing multiple CVEs
Previous
How to know what the fix command would change?
Copyright © 2024, Canonical Group Ltd
Made with Sphinx and @pradyunsg's Furo