Does Vuls match oval and 3rd party repositories? #1620

MalfuncEddie posted onGitHub

Hi,

For "reasons" we use the apache of "deb http://ppa.launchpad.net/ondrej/apache2/ubuntu focal main" instead of the normal ubuntu one.

I was wondering if vuls also detects CVE's on those packages.

ii apache2 2.4.55-1+ubuntu20.04.1+deb.sury.org+2 amd64 Apache HTTP Server

should match cve https://ubuntu.com/security/CVE-2023-25690 but it doesn't?

Currently, Debian/Ubuntu does not look at repositories of installed packages.

fixed version: 2.4.41-4ubuntu3.14 < installed version: 2.4.55-1+ubuntu20.04.1+deb.sury.org+2, so this should be treated as a unaffected vulnerability on your machine.

posted by MaineK00n almost 2 years ago

I'm a bit confused

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55

also the the repo has an update 2.4.56 so I thought that 2.4.55 is also affected.

posted by MalfuncEddie almost 2 years ago

I think 2.4.56 is the version of apache/httpd. Please note that the versions of apache/httpd and the apache package provided by ubuntu do not always match.

I assume your machine is Ubuntu 20.04, but according to https://ubuntu.com/security/CVE-2023-25690 it is fixed in 2.4.41-4ubuntu3.14. This is also described in launchpad's apache. https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.14

However, since you are not using apache in the official repository provided by Ubuntu to begin with, there is no point in looking at ubuntu's fixed version. You should check what version of apache you are using, what version of apache/httpd you derived it from, and what patches you have applied so far.

posted by MaineK00n almost 2 years ago

Fund this Issue

$0.00

Funded

Only logged in users can fund an issue

Pull requests

Do you want to work on this issue?

Does Vuls match oval and 3rd party repositories? #1620

Company

Community

Support

Connect