I think the question is this a typo in the vuln-2022.xml, because the changelog shows the CVE are fixed in 2.4.54
> On 10 Jun 2022, at 15:20, Wall, Stephen <[email protected]> wrote: > >> vuln-2022.xml: >> <affects> >> <package> >> <name>apache24</name> >> <range><lt>2.5.54</lt></range> <------- 2.4.54 ??? >> </package> ~~~~~~ >> </affects> >> -- >> Masachika ISHIZUKA > > `<lt>` indicates it affects versions less than 2.5.54. > > > -spw
