<div dir="ltr">Dear Sam Hartman, Russ Allbery, Benjamin Kaduk and Security team!<br><div><br></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span>Let me ask you for help and guidance. <br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span><br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span>At the moment, I have a PC running Ubuntu 18.04 at my disposal. It has some binary packages that depend on the "<i>krb5</i>" package. The problem is that the vulnerability scanner finds the <b>CVE-2018-5710</b> vulnerability (related to my binary <i>krb5</i> packages) and suggests updating to version <b>1.16.1-1</b>, even though the packages have been updated to the latest version (<b>1.16-2ubuntu0.2</b>). <br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span><br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span>Version <b>1.16.1-1</b> is also listed on the <a href="https://ubuntu.com/security/CVE-2018-5710">vulnerability website</a> (<a href="https://ubuntu.com/security/CVE-2018-5710">https://ubuntu.com/security/CVE-2018-5710</a>) and in the OVAL data on which the scanner operates. <br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span><br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span>I found that there are later versions of the krb5 package for Debian distributions, but I cannot officially update my package (using the package manager on Ubuntu OS). <br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span><br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span>I've also seen <a href="https://github.com/future-architect/vuls/issues/1069">discussions on this topic</a> on the Internet (<a href="https://github.com/future-architect/vuls/issues/1069">https://github.com/future-architect/vuls/issues/1069</a>), but it only points out a possible error in the OVAL data. <br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span><br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span>I ask you to consider my letter and, if possible, give an explanation of this case. Maybe this is just a technical hitch and no update has been added for the version? Or can the information in the OVAL data be updated to reflect the current version? <br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span><br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span>Let me thank you for your work in fixing software security holes. This is an important and necessary task. <br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span><br></span></span></span></div><div><span class="gmail-VIiyi" lang="en"><span class="gmail-JLqJ4b"><span>
Hoping for an answer</span></span></span> <br>-- <br><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div style="font-size:small">Andrey Nikonov,</div><div style="font-size:small">Security engineer,</div><div style="font-size:small">"Frodex" Ltd.<br></div></div><div>Ufa, Russia.</div><div><br></div></div></div></div></div></div></div>