Distros may not update software versions when backporting some things, meaning they add a suffix they control to the version e.g. 2.4.57-ubuntu1.2 whatever, but the version reported by the software itself might still be 2.4.57.
It depends on the release process. I was also confused once I was asking myself why the repo was reporting a CVE as fixed when it still showed the old version.
Distros may not update software versions when backporting some things, meaning they add a suffix they control to the version e.g. 2.4.57-ubuntu1.2 whatever, but the version reported by the software itself might still be 2.4.57.
It depends on the release process. I was also confused once I was asking myself why the repo was reporting a CVE as fixed when it still showed the old version.