How to resolve a specific CVE or USN#

In this guide, we will introduce the pro fix command and show how you can use it to resolve CVEs/USNs.

Note

If you want a simpler guide to get started with pro fix, start with our security features tutorial. You can use the same VM-based environment created in that tutorial to recreate the output shown below yourself.

Before you begin, you will need to update the Pro Client to the most recent version:

$ sudo apt update && sudo apt install ubuntu-pro-client

Use pro fix#

First, let’s see what happens to your system when pro fix runs. Every pro fix output has a similar output structure. It:

  • describes the CVE/USN;

  • displays the affected packages;

  • fixes the affected packages; and

  • at the end, shows if the CVE/USN is fully fixed in the machine.

This is best demonstrated in a pro fix call that does fix a package.

Therefore let us install an older package on the VM that we know is associated with CVE-2020-25686. You can install the package by running these commands:

$ sudo apt update
$ sudo apt install dnsmasq=2.75-1

Now, let’s run pro fix on the CVE:

$ sudo pro fix CVE-2020-25686

You will then see the following output:

CVE-2020-25686: Dnsmasq vulnerabilities
 - https://ubuntu.com/security/CVE-2020-25686

1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y dnsmasq }

✔ CVE-2020-25686 is resolved.

Note

We need to run the command with sudo because it will be installing a package on the system.

Whenever pro fix has a package to upgrade, it follows a consistent structure and displays the following, in this order:

  1. The affected package

  2. The availability of a fix

  3. The location of the fix, if one is available

  4. The command that will fix the issue

Also, at the end of the output you can see confirmation that the CVE was fixed by the command. Just to confirm that the fix was successfully applied, let’s run the pro fix command again, and we should now see the following:

CVE-2020-25686: Dnsmasq vulnerabilities
 - https://ubuntu.com/security/CVE-2020-25686

1 affected package is installed: dnsmasq
(1/1) dnsmasq:
A fix is available in Ubuntu standard updates.
The update is already installed.

✔ CVE-2020-25686 is resolved.

There might be other cases which you might encounter when using pro fix to resolve a CVE/USN. You can learn more about these cases in the guide detailing Common scenarios encountered when using pro fix to solve a CVE/USN.

Additional resources#

This is not the only scenario where you might want to use pro fix . To find out about the other situations where it can be useful, as well as which options can be used to give you greater control over the command, you can refer to the following guides:

If you need more information about this, please feel free to reach out to the Ubuntu Pro Client team on #ubuntu-server on Libera IRC – we’re happy to help!

Alternatively, if you have a GitHub account, click on the “Give feedback” link at the top of this page to leave us a message. We’d love to hear from you!