CVE-2018-5710: krb5 package version issue
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Mar 23 10:47:58 UTC 2021
Hi,
On 2021-03-22 9:56 a.m., Andrei Nikonov wrote:
> Dear Sam Hartman, Russ Allbery, Benjamin Kaduk and Security team!
>
> Let me ask you for help and guidance.
>
> At the moment, I have a PC running Ubuntu 18.04 at my disposal. It has some
> binary packages that depend on the "/krb5/" package. The problem is that the
> vulnerability scanner finds the *CVE-2018-5710* vulnerability (related to my
> binary /krb5/ packages) and suggests updating to version *1.16.1-1*, even though
> the packages have been updated to the latest version (*1.16-2ubuntu0.2*).
>
> Version *1.16.1-1* is also listed on the vulnerability website
> <https://ubuntu.com/security/CVE-2018-5710>
> (https://ubuntu.com/security/CVE-2018-5710
> <https://ubuntu.com/security/CVE-2018-5710>) and in the OVAL data on which the
> scanner operates.
This was a typo in our CVE database which generates our OVAL data. CVE-2018-5710
is currently unfixed in the 1.16-2ubuntu0.2 package in Ubuntu 18.04 LTS. We've
now corrected our database, and once regenerated, our OVAL data should now
reflect this.
>
> I found that there are later versions of the krb5 package for Debian
> distributions, but I cannot officially update my package (using the package
> manager on Ubuntu OS).
>
> I've also seen discussions on this topic
> <https://github.com/future-architect/vuls/issues/1069> on the Internet
> (https://github.com/future-architect/vuls/issues/1069
> <https://github.com/future-architect/vuls/issues/1069>), but it only points out
> a possible error in the OVAL data.
>
> I ask you to consider my letter and, if possible, give an explanation of this
> case. Maybe this is just a technical hitch and no update has been added for the
> version? Or can the information in the OVAL data be updated to reflect the
> current version?
Yes, it was a mistake in the OVAL data.
>
> Let me thank you for your work in fixing software security holes. This is an
> important and necessary task.
>
> Hoping for an answer
> --
> Andrey Nikonov,
> Security engineer,
> "Frodex" Ltd.
> Ufa, Russia.
>
>
Marc.
--
Marc Deslauriers
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
More information about the Ubuntu-devel-discuss
mailing list