osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Ubuntu vulnerable package marked as fixed but new version hadn't been released

Open beaturmis opened this issue 2 months ago • 1 comments

Describe the bug Bumped into a problem with UBUNTU-CVE-2024-38541 on July, 15 2025 Package linux was marked as fixed with version 5.15.0-144.157 in OSV. But the fixed package version hadn't been released by Ubuntu at that moment. So there was a temporary inconsistency in OSV DB which led to providing false information about available fixes.

Expected behaviour Information about fixed versions is provided only in case packages have been published to Ubuntu repositories.

Screenshots

OSV DB info with fixed version

Image

Screenshot from Ubuntu CVE info page showing "Work in progress" Image

beaturmis avatar Oct 28 '25 12:10 beaturmis

Hi there, thanks for your interest in OSV's data quality! In this case, Ubuntu gives us their data directly, by publishing at this git repository. As such, Canonical (Ubuntu) will be the best place to contact about addressing this issue. Thanks!

jess-lowe avatar Oct 28 '25 22:10 jess-lowe