I recently had a vulnerability scanner flag a server that had an OpenSSL library package which had a vulnerability. That was odd, because the server had recently been updated.
The server had been upgraded from Ubuntu 20 to 22, and it turns out the Ubuntu upgrade logic may sometimes leave behind packages where there's no successor package in the new Ubuntu generation. So package libssl1.1 was left behind in a version which had a vulnerability. No software was using the old libssl library, but the finding in the vulnerability scan had to be addressed anyhow.
So next time I upgrade a Debian or Ubuntu server from one generation to the next, I'll make sure to run the following, in addition to "apt --purge autoremove" etc:
apt list ?obsolete
The command will output packages which are not covered by any active APT source. Its output must be taken with a grain of salt, because it will flag deb packages which have been installed from other sources than APT channels. So on the servers I deal with, it outputs some packages which are OK to have around.
