Dear Sam Hartman, Russ Allbery, Benjamin Kaduk and Security team! Let me ask you for help and guidance.
At the moment, I have a PC running Ubuntu 18.04 at my disposal. It has some binary packages that depend on the "*krb5*" package. The problem is that the vulnerability scanner finds the *CVE-2018-5710* vulnerability (related to my binary *krb5* packages) and suggests updating to version *1.16.1-1*, even though the packages have been updated to the latest version ( *1.16-2ubuntu0.2*). Version *1.16.1-1* is also listed on the vulnerability website <https://ubuntu.com/security/CVE-2018-5710> ( https://ubuntu.com/security/CVE-2018-5710) and in the OVAL data on which the scanner operates. I found that there are later versions of the krb5 package for Debian distributions, but I cannot officially update my package (using the package manager on Ubuntu OS). I've also seen discussions on this topic <https://github.com/future-architect/vuls/issues/1069> on the Internet ( https://github.com/future-architect/vuls/issues/1069), but it only points out a possible error in the OVAL data. I ask you to consider my letter and, if possible, give an explanation of this case. Maybe this is just a technical hitch and no update has been added for the version? Or can the information in the OVAL data be updated to reflect the current version? Let me thank you for your work in fixing software security holes. This is an important and necessary task. Hoping for an answer -- Andrey Nikonov, Security engineer, "Frodex" Ltd. Ufa, Russia.
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
