To find out if an installed APT package on a Debian or Ubuntu Linux system includes a fix or patch for a specific Common Vulnerabilities and Exposures (CVE) number, you can use the apt-show-versions command.
For example, to check if the package openssl includes a fix for the CVE number CVE-2020-1967, you can use the following command:
apt-show-versions -p openssl | grep -i cve-2020-1967
If the package includes a fix for the specified CVE number, the command will output a line indicating the version of the package that includes the fix. If the package does not include a fix for the specified CVE number, the command will not output anything.
You can also use the --fix-missing option to display a list of all installed packages that are missing fixes for known vulnerabilities:
apt-show-versions --fix-missing