So I received a vulnerability scan from my security team and I was using this website to check to see if Ubuntu had patched the CVE or not :
http://people.canonical.com/~ubuntu-security/cve/
So to use an old example, let's take CVE-2010-1452. I look up CVE-2010-1452 on that page and see what I think is an indication that it's been patched in Ubuntu 10.04 LTS:
Code:
Ubuntu 10.04 LTS (Lucid Lynx): released (2.2.14-5ubuntu8.4)
Then I run a dpkg-query on my system to see what version of the package I have installed and I see 2.2.14-5ubuntu8.13.
I can not update apache2 any further and I assume 2.2.14-5ubuntu8.4 is newer than 2.2.14-5ubuntu8.13 so that makes me think that perhaps my package is out of date but I can't update apache2 via apt-get. So am I totally mistaken in thinking that 2.2.14-5ubuntu8.4 > 2.2.14-5ubuntu8.13 ?
Is there a better way to check to see if my Ubuntu systems (and CentOS for that matter, I use
https://access.redhat.com/security/cve/ currently) have addressed a CVE vulnerability?