CVE-2018-5710: krb5 package version issue
Andrei Nikonov
nikonovandrey1994 at gmail.com
Mon Mar 22 18:03:21 UTC 2021
Dear Sam,
Thank You for the answer.
At first: vulnerability source, that I use, is official Ubuntu's OVAL data
<https://ubuntu.com/security/oval>. I downloaded the file by this link
<https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2>.
For Your convenience, I attached a screenshot with CVE-2018-5710 definition
from this file. Moreover, the package version 1.16.1-1 is shown as a fixed
version on the official Ubuntu CVE page
<https://ubuntu.com/security/CVE-2018-5710>. So I don't think that there
can be any disagreement in vulnerability information.
As for the question, whose issue is it (Debian or Ubuntu) - I am not sure
how this mechanism works, but I wrote to You as You are the maintainer for
krb5. It is shown in the last link
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889685> on the CVE page,
and on the official Ubuntu packages page
<https://packages.ubuntu.com/en/source/bionic/krb5>.
I also looked through Ubuntu Changelog
<http://changelogs.ubuntu.com/changelogs/pool/main/k/krb5/krb5_1.16-2ubuntu0.2/changelog>
and Debian Changelog
<https://metadata.ftp-master.debian.org/changelogs//main/k/krb5/krb5_1.18.3-4_changelog>
for the krb5 package - there is the same record in both of them about the
1.16-2 version of krb5 ( Sat, 20 Jan 2018 11:02:57).
And right after that in Debian Changelog 1.16.1-1 version appeared while in
Ubuntu Changelog the next version for krb5 is 1.16-2build1.
I might just assume that this can be some minor point with copying the krb5
version for Debian to Ubuntu vulnerability data.
Howbeit, how should I interpret information from the CVE-2018-5710 page
<https://ubuntu.com/security/CVE-2018-5710>? I have krb5-1.16-2ubuntu0.2 on
my PC and it is vulnerable as its version is less than 1.16.1-1? But my
version is actual.
With appreciation,
--
Andrey Nikonov,
Security engineer,
"Frodex" Ltd.
Ufa, Russia.
пн, 22 мар. 2021 г. в 21:41, Sam Hartman <hartmans at debian.org>:
> This doesn't sound like a Debian issue.
> It sounds more like a disagreement between your source of vulnerability
> information and Ubuntu about when a problem is fixed (or whether it
> was).
> I also don't see CVE-2018-5710 as a vulnerability that upstream lists as
> fixed in their git history.
>
> I would not want to take on the liability of making a comment about
> whether a particular issue is fixed in a particular package version in
> Ubuntu unless I prepared that version.
>
> --Sam
>
--
с уважением,
Андрей Никонов.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20210322/237460d8/attachment-0001.html>
More information about the Ubuntu-devel-discuss
mailing list