CVE-2018-5710: krb5 package version issue
Andrei Nikonov
nikonovandrey1994 at gmail.com
Mon Mar 22 13:56:18 UTC 2021
Dear Sam Hartman, Russ Allbery, Benjamin Kaduk and Security team!
Let me ask you for help and guidance.
At the moment, I have a PC running Ubuntu 18.04 at my disposal. It has some
binary packages that depend on the "*krb5*" package. The problem is that
the vulnerability scanner finds the *CVE-2018-5710* vulnerability (related
to my binary *krb5* packages) and suggests updating to version *1.16.1-1*,
even though the packages have been updated to the latest version (
*1.16-2ubuntu0.2*).
Version *1.16.1-1* is also listed on the vulnerability website
<https://ubuntu.com/security/CVE-2018-5710> (
https://ubuntu.com/security/CVE-2018-5710) and in the OVAL data on which
the scanner operates.
I found that there are later versions of the krb5 package for Debian
distributions, but I cannot officially update my package (using the package
manager on Ubuntu OS).
I've also seen discussions on this topic
<https://github.com/future-architect/vuls/issues/1069> on the Internet (
https://github.com/future-architect/vuls/issues/1069), but it only points
out a possible error in the OVAL data.
I ask you to consider my letter and, if possible, give an explanation of
this case. Maybe this is just a technical hitch and no update has been
added for the version? Or can the information in the OVAL data be updated
to reflect the current version?
Let me thank you for your work in fixing software security holes. This is
an important and necessary task.
Hoping for an answer
--
Andrey Nikonov,
Security engineer,
"Frodex" Ltd.
Ufa, Russia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20210322/475d42c5/attachment-0001.html>
More information about the Ubuntu-devel-discuss
mailing list