CVE-2018-5710: krb5 package version issue

Andrei Nikonov nikonovandrey1994 at
Mon Mar 22 18:03:21 UTC 2021

Dear Sam,

Thank You for the answer.
At first: vulnerability source, that I use, is official Ubuntu's OVAL data
<>. I downloaded the file by this link
For Your convenience, I attached a screenshot with CVE-2018-5710 definition
from this file. Moreover, the package version 1.16.1-1 is shown as a fixed
version on the official Ubuntu CVE page
<>. So I don't think that there
can be any disagreement in  vulnerability information.

As for the question, whose issue is it (Debian or Ubuntu) - I am not sure
how this mechanism works, but I wrote to You as You are the maintainer for
krb5. It is shown in the last link
<> on the CVE page,
and on the official Ubuntu packages page

I also looked through Ubuntu Changelog
and Debian Changelog
for the krb5 package - there is the same record in both of them about the
1.16-2 version of krb5 ( Sat, 20 Jan 2018 11:02:57).
And right after that in Debian Changelog 1.16.1-1 version appeared while in
Ubuntu Changelog the next version for krb5 is 1.16-2build1.

I might just assume that this can be some minor point with copying the krb5
version for Debian to Ubuntu vulnerability data.

Howbeit, how should I interpret information from the CVE-2018-5710 page
<>? I have krb5-1.16-2ubuntu0.2 on
my PC and it is vulnerable as its version is less than 1.16.1-1? But my
version is actual.

With appreciation,
Andrey Nikonov,
Security engineer,
"Frodex" Ltd.
Ufa, Russia.

пн, 22 мар. 2021 г. в 21:41, Sam Hartman <hartmans at>:

> This doesn't sound like a Debian issue.
> It sounds more like a disagreement between your source of vulnerability
> information and Ubuntu about when a problem is fixed (or whether it
> was).
> I also don't see CVE-2018-5710 as a vulnerability that upstream lists as
> fixed in their git history.
> I would not want to take on the liability of making a comment about
> whether a particular issue is fixed in a particular package version in
> Ubuntu unless I prepared that version.
> --Sam

с уважением,
Андрей Никонов.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Ubuntu-devel-discuss mailing list