GLSA-202004-10 marks all openssl versions under 1.1.1g as vulnerable. However, 1.0.2u fixed CVE-2019-1551 [1] and 1.0.2* and 1.1.0* versions are not affected by CVE-2020-1967 [2] [1] https://www.openssl.org/news/openssl-1.0.2-notes.html [2] https://www.openssl.org/news/secadv/20200421.txt Reproducible: Always
Same status here. GLSA-202004-10 has caused Nessus to build plugin # 135946, which incorrectly marks anything prior to 1.1.1g as vulnerable. Specifically 1.0.2u is the one I'm having trouble with.
Created attachment 643856 [details] Fix affected OpenSSL versions for GLSA 202004-10 Same issue here. 1.0.2u is not affected by either of the CVEs in this GLSA. I think the attached patch to glsa-202004-10.xml is the right way to fix it, based on how other GLSAs handle multiple slots with different affected versions. Unfortunately I do not know the right way to submit PRs for the glsa.git repo, as it is not mirrored to github like the main portage tree is.
Closing as CANTFIX: OpenSSL in Gentoo never used slots and subslot format was too specific which makes it impossible for us to proper target affected versions.
