Public bug reported: Information in shows that krb5 versions before 1.17 are vulnerable to CVE-2018-20217. https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html
Based on Debian bug report, this is already fixed in 1.16.2 version: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387 Ubuntu 20.04 LTS (Focal Fossa) includes version krb5 1.17.6: https://launchpad.net/ubuntu/focal/+source/krb5 Ubuntu CVE Tracker page shows that Ubuntu 20.04 LTS (Focal Fossa) doesn't have a package where CVE-2018-20217 is fixed. https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html Steps to reproduce: This was found when examining AWS Elastic Container Registry Vulnerability scanning results for a Docker image based on latest Ubuntu 20.04: Here is the complete line from the report: krb5:1.17-6ubuntu4 MEDIUM A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request. It can be seen from the scan that the Docker image included krb5 bversion 1.17-6. Expected: No vulnerability finding. Actual: krb5 bversion 1.17-6ubuntu4 is reported as vulnerable to CVE-2018-20217. ** Affects: krb5 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1893728 Title: Ubuntu CVE Tracker krb5 1.17-6ubuntu4 CVE-2018-20217 false positive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1893728/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
