What are CVE security updates and who issues them?
Matthew Martinez 
Just a couple quick questions. Hope a couple wise owls might be able to answer ; )
I used to apply updates through the terminal without any care, since I don't use any ppa's or use any untrusted apps but lately I became interested in Ubuntu bugs, their fixes and most importantly the changes that would be made to my system. So, I found it easier to use the 'Update Manager' so I could use the link in the 'Changes' section to access the 'launchpad' page that discusses these issues.
Today when prompted for some specific updates, instead of being directed to a 'launchpad' page that I was accustomed to, I was directed to an unknown 'mitre.org' page.
Screenshots:
I've searched the askubuntu site, as well as others, yet I've only found 1 thread that can come close to answering my questions. It was marked as [SOLVED], yet the OP's original question was never answered.
So to my questions...
What are CVE security updates and who issues them?
Why am I directed to an unknown website (to me anyways), that is funded by a government agency (look closely on the bottom of the 'Mitre' screenshot), when inquiring about the aforementioned updates?
33 Answers
"CVE" stands for "Common Vulnerabilities and Exposures". It is an industry standard for the notation, especially for the naming, of security vulnerabilities. The list of CVEs ist maintained by the MITRE Corporation. This non-profit company has been branched of the Massachusetts Institute of Technology (MIT) as a service for US research institutions. For more information, see CVE and MITRE Corporation on Wikipedia.
1"CVE" stands for "Common Vulnerabilities and Exposures", explained in Henning Kockerbeck's answer here.
Fixes for CVEs are either fixed upstream by the developers of a given program and then are either SRU'd (Stable Release Update) or uploaded to the latest development release of Ubuntu by either the developers of the upstream program, the Ubuntu Security Team, or are uploaded when sponsored by a member of the security team if the community helped to develop the patch for the package.
For programs that are in Main, and maintained by the developers for Canonical, the Ubuntu Security Team will typically update a package and place it in the RELEASE-security repository (where RELEASE is precise, quantal, raring, etc.).
For programs that are in Universe, those are typically community maintained, and anyone in the community can prepare an SRU or a patch to include the CVE fixes. Those fixes are then sponsored by the Security Team for uploading and inclusion into Ubuntu.
1This answer is a combination of the two answers the original poster said helped them. They answer both parts of the questions asked by the asker. This answer was created so they could accept an answer that has both parts.
"CVE" stands for "Common Vulnerabilities and Exposures". It is an industry standard for the notation, especially for the naming, of security vulnerabilities. The list of CVEs ist maintained by the MITRE Corporation. This non-profit company has been branched of the Massachusetts Institute of Technology (MIT) as a service for US research institutions. For more information, see CVE and MITRE Corporation on Wikipedia.
(originally by Henning Kockerbeck)
Fixes for CVEs are either fixed upstream by the developers of a given program and then are either SRU'd (Stable Release Update) or uploaded to the latest development release of Ubuntu by either the developers of the upstream program, the Ubuntu Security Team, or are uploaded when sponsored by a member of the security team if the community helped to develop the patch for the package.
For programs that are in Main, and maintained by the developers for Canonical, the Ubuntu Security Team will typically update a package and place it in the RELEASE-security repository (where RELEASE is precise, quantal, raring, etc.).
For programs that are in Universe, those are typically community maintained, and anyone in the community can prepare an SRU or a patch to include the CVE fixes. Those fixes are then sponsored by the Security Team for uploading and inclusion into Ubuntu.
(originally by Thomas W.)
