Comment 3 for bug 2054511

For all CVEs handled by the security team, we always assume older versions of the software in our archive are vulnerable, and when we research the issue we make sure the vulnerability isn't present in older versions.

We never report "not vulnerable" for EOL software unless we specifically checked.

For the CVEs mentioned in this bug report, a mistake was made during our research, which we have now corrected.