[18:20] <luis220413> Is anyone from the Ubuntu Security Team here?
[18:22] <luis220413> The status of CVE-2019-16239 for focal and later releases should be Not vulnerable (8.05-1) and for xenial should be "Ignored (reached end-of-life)", because you always do this for packages that are in the universe component in xenial.
[18:23] <luis220413> *"Ignored (out of standard support)"
[18:23] <luis220413> The CVE is not fixed in Xenial, contrary to what the Ubuntu CVE Tracker states.
[18:26] <luis220413> I must leave now but will remain online.
[18:27] <mdeslaur> luis220413: fixed, thanks
[18:27] <mdeslaur> luis220413: but we did release it for xenial before it went eol, so ignored isn't appropriate
[18:27] <mdeslaur> oh wait, it's a typo?
[18:27]  * mdeslaur looks again
[18:27] <luis220413> https://launchpad.net/ubuntu/+source/openconnect/+publishinghistory
[18:28] <luis220413> https://launchpad.net/ubuntu/+source/openconnect
[18:28] <mdeslaur> you're right, fixed now, thanks
[18:30] <luis220413> I also believe Ubuntu 22.04 is not vulnerable to CVE-2020-12105, because the description mentions "OpenConnect through 8.08" and 22.04 has 8.20-1.
[18:31] <luis220413> Can you also triage this CVE for bionic and focal? I will prepare a security update for this package today.
[18:31] <sbeattie> one needs to be cautious with versions in cve descriptions provided by mitre/nvd (which is often the source of UCT ddescriptions).
[18:31] <mdeslaur> the description is wrong, it doesn't look like it's fixed upstream
[18:32] <luis220413> I must leave now but will remain online.
[18:34] <mdeslaur> it only affects when built with openssl, ubuntu builds with gnutls, no it's not vulnerable
[22:11] <luis220413> I have just submitted debdiffs for openconnect in bug 1987569.