How to check package version on Linux

In light of the recent discovery of a backdoor in the XZ Utils package (CVE-2024-3094), knowing how to check package versions on Linux has come to front of mind.

I try to be security cautious. Typically I reach for boring ol’ Debian stable for my servers. I do my best to keep them reasonably up date. Unattended security updates help out a ton.

In the face of a potential security crisis, I keep a certain level of paranoia. In this instance, even though I was confident that Debian’s “outdated” packages would have my back, I still needed to check to be 100% sure.

While I do try to reach for Debian stable on my servers, that doesn’t mean that’s all I have floating around in the server fleet I captain.

Arch Linux on my desktop was probably going to be a problem (it was), due to its rolling release nature, and my current update frequency.. I also maintain Ubuntu servers, Debian-based so probably just fine. And finally, Amazon Linux, which I wasn’t sure would have a problem or not.

I definitely needed to check each one to have any sort of peace of mind.

Keep in mind, the following commands are explicitly filtering on packages with xz in the name. You can easily change that to whatever string you’re looking for.

How to check package version on Debian

This not only works for Debian, but any Debian-based Linux distribution. This includes Ubuntu, Linux Mint, MX Linux, etc.

dpkg-query -l '*xz*'
# or
dpkg-query -l | grep xz

How to check package version on Arch Linux

Similar to the dpkg command for Linux, this works for Arch-based distributions as well. Including Manjaro, EndeavourOS, and even SteamOS (version 3.0+). Generally speaking, you should be able to swap out pacman for your AUR package manager as well, like my current favorite, yay.

pacman -Qs xz
# or
pacman -Q | grep xz

How to check package version on Fedora

You’re probably sensing a trend by now. This covers not only Fedora, but also Fedora-based distributions, including Amazon Linux. The last alternative method can be applied to RPM-based distributions.

dnf list installed xz*
# or
dnf list installed | grep xz

# or more yumtastically
yum list installed | grep xz

# or via RPM
rpm -qa | grep xz
Josh Sherman - The Man, The Myth, The Avatar

About Josh

Husband. Father. Pug dad. Musician. Founder of Holiday API, Head of Engineering and Emoji Specialist at Mailshake, and author of the best damn Lorem Ipsum Library for PHP.

If you found this article helpful, please consider buying me a coffee.