[Bug 1893728] Re: Ubuntu CVE Tracker krb5 1.17-6ubuntu4 CVE-2018-20217 false positive

Rafael David Tinoco 1893728 at bugs.launchpad.net
Thu Sep 3 15:08:51 UTC 2020 

** Also affects: krb5 (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: krb5 (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Changed in: krb5 (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1893728

Title:
  Ubuntu CVE Tracker krb5 1.17-6ubuntu4 CVE-2018-20217 false positive

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Bionic:
  New
Status in krb5 source package in Focal:
  New

Bug description:
  Information in shows that krb5 versions before 1.17 are vulnerable to CVE-2018-20217.
  https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html

  Based on Debian bug report, this is already fixed in 1.16.2 version:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387

  Ubuntu 20.04 LTS (Focal Fossa) includes version krb5 1.17.6:
  https://launchpad.net/ubuntu/focal/+source/krb5

  Ubuntu CVE Tracker page shows that Ubuntu 20.04 LTS (Focal Fossa) doesn't have a package where CVE-2018-20217 is fixed.
  https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html

  Steps to reproduce:
  This was found when examining AWS Elastic Container Registry Vulnerability scanning results for a Docker image based on latest Ubuntu 20.04: Here is the complete line from the report:
  krb5:1.17-6ubuntu4 MEDIUM A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

  It can be seen from the scan that the Docker image included krb5
  bversion 1.17-6.

  Expected:
  No vulnerability finding.

  Actual:
  krb5 bversion 1.17-6ubuntu4 is reported as vulnerable to CVE-2018-20217.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1893728/+subscriptions

More information about the foundations-bugs mailing list