CVE-2018-5710: krb5 package version issue

Russ Allbery rra at
Mon Mar 22 18:48:31 UTC 2021

Hi Andrei,

Andrei Nikonov <nikonovandrey1994 at> writes:

> Moreover, the package version 1.16.1-1 is shown as a fixed version on
> the official Ubuntu CVE page
> <>. So I don't think that there
> can be any disagreement in vulnerability information.

None of the people you have explicitly cc'd in this email are affiliated
with Ubuntu so far as I know, so I'm not sure we're the right people to
ask.  Given the information you've shown (which matches what I saw when
looking around Launchpad), there certainly doesn't seem to be any
indication that Ubuntu patched CVE-2018-5710 prior to version 1.16.1-1.

Ubuntu claims that bug is fixed in 1.16.1-1, and I see no reason to doubt
that, although unfortunately the CVE reference is confusing.  Upstream
used CVE-2018-5729 and CVE-2018-5730 to track what appears to be the same
vulnerability.  Debian's security tracker notes:

    The CVE is a duplicate of the #891869 issue(s) due to reporter not
    having coordinated with upstream and the CVE assignment ist sill for
    slight different coverage. Thus keep it distinct (for now) and mark
    CVE-2018-5710 issue as well as fixed once #891869 is adressed.

at which is
consistent with that analysis.

Please note that I was not involved in preparing this release and haven't
checked any of this analysis myself, but given the above, it seems likely
to me that this bug was fixed in 1.16.1-1 and the bug fix has not been
backported to Ubuntu's 1.16-2ubuntu0.2 release.

> Howbeit, how should I interpret information from the CVE-2018-5710 page
> <>? I have krb5-1.16-2ubuntu0.2
> on my PC and it is vulnerable as its version is less than 1.16.1-1?

That is how I would interpret this information, yes.

Note that you should decide whether you care, given that this bug affects
only the KDC and only with LDAP support enabled.

Russ Allbery (rra at              <>

More information about the Ubuntu-devel-discuss mailing list