The USN-3713-1: CUPS vulnerabilities are fixed automatically and installed on SecureDrop production instances. I received the following OSSEC alert.
OSSEC HIDS Notification. 2018 Jul 12 04:34:26 Received From: (app) A.B.C.D->/var/log/dpkg.log Rule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed." Portion of the log(s): 2018-07-12 04:34:25 status installed libcups2:amd64 1.7.2-0ubuntu1.10 --END OF NOTIFICATION OSSEC HIDS Notification. 2018 Jul 12 04:34:26 Received From: (app) A.B.C.D->/var/log/dpkg.log Rule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed." Portion of the log(s): 2018-07-12 04:34:25 status installed libc-bin:amd64 2.19-0ubuntu6.14 --END OF NOTIFICATION