Comment 2 for bug 1855768

Hi Srdjan,

Thanks for taking the time to report this issue and help making Ubuntu better.

The USN you mentioned, applied the fix to the source package libidn2 (https://packages.ubuntu.com/source/bionic/libidn2)
You can see on the mentioned page that this source package generates multiple binary packages, including: idn2 and libidn2-0. So, on the USN page that you mentioned we are referring to those binary packages, but on the CVE page we are only dealing with source package names. So we already have the released in the lines for libidn2.

The lines that you are referring that are marked as DNE, is for the libidn2-0 source package (https://packages.ubuntu.com/source/xenial/libidn2-0), which only exists on Ubuntu Xenial (16.04) and Trusty (14.04), and that's why it is marked as DNE (Do Not Exist) in the CVE page.

So this is just a confusion between source packages and binary packages. Binary packages is what you install on a apt-get install command. Source packages is where we apply the fix, and where the binary packages will be generated from.

Hope I didn't get you more confused on this.
Thanks