Open MalfuncEddie opened 1 year ago
MaineK00n
commented
1 year ago Currently, Debian/Ubuntu does not look at repositories of installed packages.
fixed version: 2.4.41-4ubuntu3.14 < installed version: 2.4.55-1+ubuntu20.04.1+deb.sury.org+2, so this should be treated as a unaffected vulnerability on your machine.
MalfuncEddie
commented
1 year ago I'm a bit confused
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55
also the the repo has an update 2.4.56 so I thought that 2.4.55 is also affected.
MaineK00n
commented
1 year ago I think 2.4.56 is the version of apache/httpd. Please note that the versions of apache/httpd and the apache package provided by ubuntu do not always match.
I assume your machine is Ubuntu 20.04, but according to https://ubuntu.com/security/CVE-2023-25690 it is fixed in 2.4.41-4ubuntu3.14. This is also described in launchpad's apache. https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.14
However, since you are not using apache in the official repository provided by Ubuntu to begin with, there is no point in looking at ubuntu's fixed version. You should check what version of apache you are using, what version of apache/httpd you derived it from, and what patches you have applied so far.
Hi,
For "reasons" we use the apache of "deb http://ppa.launchpad.net/ondrej/apache2/ubuntu focal main" instead of the normal ubuntu one.
I was wondering if vuls also detects CVE's on those packages.
ii apache2 2.4.55-1+ubuntu20.04.1+deb.sury.org+2 amd64 Apache HTTP Server
should match cve https://ubuntu.com/security/CVE-2023-25690 but it doesn't?