Hi Andrei, Andrei Nikonov <nikonovandrey1...@gmail.com> writes:
> Moreover, the package version 1.16.1-1 is shown as a fixed version on > the official Ubuntu CVE page > <https://ubuntu.com/security/CVE-2018-5710>. So I don't think that there > can be any disagreement in vulnerability information. None of the people you have explicitly cc'd in this email are affiliated with Ubuntu so far as I know, so I'm not sure we're the right people to ask. Given the information you've shown (which matches what I saw when looking around Launchpad), there certainly doesn't seem to be any indication that Ubuntu patched CVE-2018-5710 prior to version 1.16.1-1. Ubuntu claims that bug is fixed in 1.16.1-1, and I see no reason to doubt that, although unfortunately the CVE reference is confusing. Upstream used CVE-2018-5729 and CVE-2018-5730 to track what appears to be the same vulnerability. Debian's security tracker notes: The CVE is a duplicate of the #891869 issue(s) due to reporter not having coordinated with upstream and the CVE assignment ist sill for slight different coverage. Thus keep it distinct (for now) and mark CVE-2018-5710 issue as well as fixed once #891869 is adressed. at https://security-tracker.debian.org/tracker/CVE-2018-5710 which is consistent with that analysis. Please note that I was not involved in preparing this release and haven't checked any of this analysis myself, but given the above, it seems likely to me that this bug was fixed in 1.16.1-1 and the bug fix has not been backported to Ubuntu's 1.16-2ubuntu0.2 release. > Howbeit, how should I interpret information from the CVE-2018-5710 page > <https://ubuntu.com/security/CVE-2018-5710>? I have krb5-1.16-2ubuntu0.2 > on my PC and it is vulnerable as its version is less than 1.16.1-1? That is how I would interpret this information, yes. Note that you should decide whether you care, given that this bug affects only the KDC and only with LDAP support enabled. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/> -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
