CVE-2018-5710: krb5 package version issue

Marc Deslauriers marc.deslauriers at
Tue Mar 23 10:47:58 UTC 2021


On 2021-03-22 9:56 a.m., Andrei Nikonov wrote:
> Dear Sam Hartman, Russ Allbery, Benjamin Kaduk and Security team!
> Let me ask you for help and guidance.
> At the moment, I have a PC running Ubuntu 18.04 at my disposal. It has some
> binary packages that depend on the "/krb5/" package. The problem is that the
> vulnerability scanner finds the *CVE-2018-5710* vulnerability (related to my
> binary /krb5/ packages) and suggests updating to version *1.16.1-1*, even though
> the packages have been updated to the latest version (*1.16-2ubuntu0.2*).
> Version *1.16.1-1* is also listed on the vulnerability website
> <>
> (
> <>) and in the OVAL data on which the
> scanner operates.

This was a typo in our CVE database which generates our OVAL data. CVE-2018-5710
is currently unfixed in the 1.16-2ubuntu0.2 package in Ubuntu 18.04 LTS. We've
now corrected our database, and once regenerated, our OVAL data should now
reflect this.

> I found that there are later versions of the krb5 package for Debian
> distributions, but I cannot officially update my package (using the package
> manager on Ubuntu OS).
> I've also seen discussions on this topic
> <> on the Internet
> (
> <>), but it only points out
> a possible error in the OVAL data.
> I ask you to consider my letter and, if possible, give an explanation of this
> case. Maybe this is just a technical hitch and no update has been added for the
> version? Or can the information in the OVAL data be updated to reflect the
> current version?

Yes, it was a mistake in the OVAL data.

> Let me thank you for your work in fixing software security holes. This is an
> important and necessary task.
> Hoping for an answer
> -- 
> Andrey Nikonov,
> Security engineer,
> "Frodex" Ltd.
> Ufa, Russia.


Marc Deslauriers
Ubuntu Security Engineer     |
Canonical Ltd.               |

More information about the Ubuntu-devel-discuss mailing list