Does Vuls match oval and 3rd party repositories?

[MalfuncEddie]

Hi,

For "reasons" we use the apache of "deb http://ppa.launchpad.net/ondrej/apache2/ubuntu focal main"
instead of the normal ubuntu one.

I was wondering if vuls also detects CVE's on those packages.

ii apache2 2.4.55-1+ubuntu20.04.1+deb.sury.org+2 amd64 Apache HTTP Server

should match cve https://ubuntu.com/security/CVE-2023-25690 but it doesn't?

[MaineK00n]

Currently, Debian/Ubuntu does not look at repositories of installed packages.

fixed version: 2.4.41-4ubuntu3.14 < installed version: 2.4.55-1+ubuntu20.04.1+deb.sury.org+2, so this should be treated as a unaffected vulnerability on your machine.

[MalfuncEddie]

I'm a bit confused

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55

also the the repo has an update 2.4.56 so I thought that 2.4.55 is also affected.

[MaineK00n]

I think 2.4.56 is the version of apache/httpd.
Please note that the versions of apache/httpd and the apache package provided by ubuntu do not always match.

I assume your machine is Ubuntu 20.04, but according to https://ubuntu.com/security/CVE-2023-25690 it is fixed in 2.4.41-4ubuntu3.14.
This is also described in launchpad's apache.
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.14

However, since you are not using apache in the official repository provided by Ubuntu to begin with, there is no point in looking at ubuntu's fixed version.
You should check what version of apache you are using, what version of apache/httpd you derived it from, and what patches you have applied so far.