How to check a package version on GNU/Linux

Introduction

After the backdoor in the XZ Utils package was disclosed (CVE-2024-3094), I noticed many people suggesting xz --version to check the installed package version instead of asking the distribution's package manager.

If an executable may be compromised, it is better not to run it just to learn its version. The package manager can provide the same information without executing the binary.

So let's look at how to check the version of an installed package on GNU/Linux systems. For convenience I split the distributions by package manager.

Note that the commands below explicitly filter for packages with xz in the name.

Debian

This works on every Debian-based distribution.

# aptapt list xz# or with more detailsapt show xz# or with dpkgdpkg-query -l '*xz*'# ordpkg-query -l | grep xz

Fedora

This applies to Fedora and to distributions that use RPM and DNF. You can also use RPM Package Manager (RPM).

# dnfdnf list installed xz*# ordnf list installed | grep xz# or with yumyum list installed | grep xz# or via RPMrpm -qa | grep xz

Arch Linux

This also works for Arch-based distributions, including Manjaro, EndeavourOS and SteamOS.

# pacmanpacman -Qs xz# orpacman -Q | grep xz

openSUSE Tumbleweed

These commands are also valid for SUSE- and openSUSE-based distributions like GeckoLinux and Linux Kamarada. You can also use RPM.

# zypperzypper info xz# orrpm -qa | grep xz

Last updated 2024-04-09.
Article source content/blog/check_package_version_on_linux.