Hi, On 2021-03-22 9:56 a.m., Andrei Nikonov wrote: > Dear Sam Hartman, Russ Allbery, Benjamin Kaduk and Security team! > > Let me ask you for help and guidance. > > At the moment, I have a PC running Ubuntu 18.04 at my disposal. It has some > binary packages that depend on the "/krb5/" package. The problem is that the > vulnerability scanner finds the *CVE-2018-5710* vulnerability (related to my > binary /krb5/ packages) and suggests updating to version *1.16.1-1*, even > though > the packages have been updated to the latest version (*1.16-2ubuntu0.2*). > > Version *1.16.1-1* is also listed on the vulnerability website > <https://ubuntu.com/security/CVE-2018-5710> > (https://ubuntu.com/security/CVE-2018-5710 > <https://ubuntu.com/security/CVE-2018-5710>) and in the OVAL data on which the > scanner operates.
This was a typo in our CVE database which generates our OVAL data. CVE-2018-5710 is currently unfixed in the 1.16-2ubuntu0.2 package in Ubuntu 18.04 LTS. We've now corrected our database, and once regenerated, our OVAL data should now reflect this. > > I found that there are later versions of the krb5 package for Debian > distributions, but I cannot officially update my package (using the package > manager on Ubuntu OS). > > I've also seen discussions on this topic > <https://github.com/future-architect/vuls/issues/1069> on the Internet > (https://github.com/future-architect/vuls/issues/1069 > <https://github.com/future-architect/vuls/issues/1069>), but it only points > out > a possible error in the OVAL data. > > I ask you to consider my letter and, if possible, give an explanation of this > case. Maybe this is just a technical hitch and no update has been added for > the > version? Or can the information in the OVAL data be updated to reflect the > current version? Yes, it was a mistake in the OVAL data. > > Let me thank you for your work in fixing software security holes. This is an > important and necessary task. > > Hoping for an answer > -- > Andrey Nikonov, > Security engineer, > "Frodex" Ltd. > Ufa, Russia. > > Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/ -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
