What is backporting?
We use the term backporting to describe the action of taking a fix for a security flaw out of the most recent version of an upstream software package and applying that fix to an older version of the package that is distributed.
Backporting is a common practice among vendors like Canonical, Red Hat, SUSE and others and is essential to ensuring these vendors can deploy automated updates to customers with minimal risk.
How does backporting affect me?
When Lacework performs a vulnerability assessment for either your hosts or container images, it compares the installed package version to a list of known vulnerabilities for the installed version and ranks the severity in accordance to published CVE (Common Vulnerabilities and Exposures) notices.
When a package has been backported with a fix from a later software version, it is possible that you may see vulnerability alerts for such packages. In such cases, the alert you received could be a 'false positive', because the package version matches for known vulnerabilities but has actually already been patched with a fix to resolve that vulnerability.
How do I know if an installed package has been backported with a fix?
Unfortunately it is not always easy to determine whether or not an installed package contains a backported fix to a known vulnerability and when unable to make this determination, it is always safest to assume the package may be vulnerable.
That being said, it is common practice by software maintainers to distribute a change-log with most packages, that is used as a manifest of patches and changes along with the reason behind a particular change. This change-log is where you are most likely to find information on whether or not a particular package has been backported with a fix for specific vulnerabilities. Please note that not all package maintainers keep a change log or notate security backports, in which case you should assume the package may be vulnerable and treat the vulnerability notice as legitimate.
The way to review these change-logs will largely depend on your OS distribution and version and how the package was installed. Please follow the steps outlined below that correspond to your OS distribution.
For packages installed with aptitude via 'apt-get' or 'apt', you can use the following command syntax to output the change-log of an installed package and search for the corresponding CVE number, replacing <PackageName> and <CVE-#> with your own values:
$ apt-get changelog <PackageName> | grep <CVE-#>
ubuntu@host:~$ apt-get changelog wget | grep CVE-2016-4971
- fixed CVE-2016-4971 closes: #827003
- debian/patches/CVE-2016-4971.patch: understand --trust-server-names
If the apt cache doesn't contain the changelog information, the changelogs can also be directly viewed at "/usr/share/doc/<PackageName>/changelog.Debian.gz"
$ zcat /usr/share/doc/<PackageName>/changelog.Debian.gz | grep <CVE-#>
ubuntu@host:~$ zcat /usr/share/doc/wget/changelog.Debian.gz | grep CVE-2019-5953
- debian/patches/CVE-2019-5953-*.patch: fix buffer overflow in
* Fix a buffer overflow vulnerability (CVE-2019-5953) (Closes: #926389)
- debian/patches/CVE-2019-5953-*.patch: fix in
For packages installed via 'yum' or 'dnf', you can use the following command syntax to output the change-log of an installed package from 'rpm' and search for the corresponding CVE number, replacing <PackageName> and <CVE-#> with your own values:
$ rpm -q --changelog <PackageName> |grep <CVE-#>
[ec2-user@host ~]$ rpm -q --changelog wget | grep CVE-2019-5953
- Fix CVE-2019-5953 (#1696736)
For SUSE or SLES, the steps outlined above for RedHat based distros work, since zypper uses 'rpm' underneath to install packages. In addition to being able to query rpm for the changelog, SUSE provides an additional option of getting more information on backported patches specific to CVEs:
$ zypper lp -a --cve=<CVE-#>
user@host:~> zypper lp -a --cve=CVE-2010-2074
Refreshing service 'spacewalk'.
Loading repository data...
Reading installed packages...
Issue | No. | Patch | Category | Status
cve | CVE-2010-2074 | slessp1-w3m-2563-2563 | security | not needed
This output will confirm the patch that contains a fix to the vulnerability described in the CVE notice and let you know whether or not this patch is needed or not. If the status column shows as "not needed" the patch has already been applied. If the command returns no output at all, the package should be treated as not backported with a fix.