Patch CVEs on Ubuntu
StackPatch indexes the Ubuntu Security Notice (USN) (ubuntu.com/security/notices) for 4 Ubuntu releases: noble (24.04) · jammy (22.04) · focal (20.04) · bionic (18.04 ESM). The workflow below shows the exact apt + dpkg commands to detect, remediate, and verify a CVE.
5-second free check
curl https://mindsparkstack.com/scan.sh | bash
On Ubuntu the agent uses dpkg-query -W -f='${Package}\t${Version}\n' to enumerate installed packages, then matches against ubuntu.com/security/notices via the StackPatch matcher API. Source as plain text.
Manual workflow
1. Enumerate installed packages
dpkg-query -W -f='${Package}\t${Version}\n' | head -2002. Look up an example CVE
USN-8222-1 — affects
openssh-serveron Ubuntu. Each CVE page shows the exact fixed_version per release.3. Upgrade with apt + dpkg
sudo apt-get update && sudo apt-get install --only-upgrade -y <package>
4. Verify the version landed
Re-run the quickscan, or use the per-package check listed above.
Ubuntu-specific notes
- • ESM-only fixes (versions ending ~esm or in -esm pocket) require Ubuntu Pro — free for personal + small-team use.
- • Kernel CVEs require reboot. Check /var/run/reboot-required after apt install linux-image.
- • Live demo audit running on Ubuntu 24.04: /patch/audit/mss-vps
Other distros
Continuous monitoring across all your Ubuntu servers
Hourly inventory + matcher + email/webhook alerts + public audit URL per server. $99 lifetime, 50 founder seats. Works on every Ubuntu release listed above.