Comment 0 for bug 2006705

pro version: 27.13.3-18.01.1

When running:
    sudo pro fix CVE-2023-0286
    CVE-2023-0286: OpenSSL vulnerabilities
    https://ubuntu.com/security/CVE-2023-0286
    2 affected source packages are installed: openssl, openssl1.0
    (1/2, 2/2) openssl, openssl1.0:
    A fix is available in Ubuntu standard updates.
    { apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
    ✔ CVE-2023-0286 is resolved.

The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
    apt policy openssl
    openssl:
      Installed: 1.1.1-1ubuntu2.1~18.04.14
      Candidate: 1.1.1-1ubuntu2.1~18.04.14
      Version table:
     *** 1.1.1-1ubuntu2.1~18.04.14 500
        500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages

(expected version is 1.1.1-1ubuntu2.1~18.04.21, from the http://security.ubuntu.com/ubuntu bionic-security/main repository)

Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix.

The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.'

This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch).

Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved."

Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability.