How can I check if an installed package has been updated to include a CVE patch?
You can use the rpm command with --query --changelog <package>.
As an example,
rpm --query --changelog openssl |grep CVE-2020
- fix CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference
For Ubuntu servers, you can run:
zgrep -E 'CVE_YYYY-XXXXX' /usr/share/doc/$package/changelog.Debian.gz
You can also verify if the package includes the patch through sites such as Redhat CVE and CVE Mitre.