How to resolve a specific CVE or USN#
In this guide, we will introduce the pro fix command and show how you can use it to resolve CVEs/USNs.
Note
If you are looking for a simpler guided tutorial to get started with
pro fix, please refer to the tutorial on
Using pro fix to solve a CVE/USN.
You can use the same VM-based environment created in that tutorial
to recreate the output shown below yourself. If you have already completed the tutorial, you may want to skip this section.
Use pro fix#
First, let’s see what happens to your system when pro fix runs.
Every pro fix output has a similar output structure. It:
describes the CVE/USN;
displays the affected packages;
fixes the affected packages; and
at the end, shows if the CVE/USN is fully fixed in the machine.
This is best demonstrated in a pro fix call that does fix a package.
Therefore let us install an older package on the VM that we know is associated with CVE-2020-25686. You can install the package by running these commands:
$ sudo apt update
$ sudo apt install dnsmasq=2.75-1
Now, let’s run pro fix on the CVE:
$ sudo pro fix CVE-2020-25686
You will then see the following output:
CVE-2020-25686: Dnsmasq vulnerabilities
- https://ubuntu.com/security/CVE-2020-25686
1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y dnsmasq }
✔ CVE-2020-25686 is resolved.
Note
We need to run the command with sudo because it will be installing a
package on the system.
Whenever pro fix has a package to upgrade, it follows a consistent
structure and displays the following, in this order:
The affected package
The availability of a fix
The location of the fix, if one is available
The command that will fix the issue
Also, at the end of the output you can see confirmation that the CVE was fixed
by the command. Just to confirm that the fix was successfully applied, let’s
run the pro fix command again, and we should now see the following:
CVE-2020-25686: Dnsmasq vulnerabilities
- https://ubuntu.com/security/CVE-2020-25686
1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
The update is already installed.
✔ CVE-2020-25686 is resolved.
There might be other cases which you might encounter when using pro fix to resolve a CVE/USN. You can learn more about these cases in the guide detailing Common scenarios encountered when using pro fix to solve a CVE/USN.
Additional resources#
This is not the only scenario where you might want to use pro fix . To find out about the other situations where it can be useful, as well as which options can be used to give you greater control over the command, you can refer to the following guides:
How do I know what the pro fix command would change? will show you how to use
pro fixin--dry-runmode to safely simulate the changes before they’re applied.How to skip fixing related USNs will show you how to only fix a single USN, even if other fixes are available.
If you need more information about this, please feel free to reach out
to the Ubuntu Pro Client team on #ubuntu-server on
Libera IRC – we’re happy to help!
Alternatively, if you have a GitHub account, click on the “Give feedback” link at the top of this page to leave us a message. We’d love to hear from you!