Dear Sam, Thank You for the answer. At first: vulnerability source, that I use, is official Ubuntu's OVAL data <https://ubuntu.com/security/oval>. I downloaded the file by this link <https://security-metadata.canonical.com/oval/com.ubuntu.bionic.cve.oval.xml.bz2>. For Your convenience, I attached a screenshot with CVE-2018-5710 definition from this file. Moreover, the package version 1.16.1-1 is shown as a fixed version on the official Ubuntu CVE page <https://ubuntu.com/security/CVE-2018-5710>. So I don't think that there can be any disagreement in vulnerability information.
As for the question, whose issue is it (Debian or Ubuntu) - I am not sure how this mechanism works, but I wrote to You as You are the maintainer for krb5. It is shown in the last link <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889685> on the CVE page, and on the official Ubuntu packages page <https://packages.ubuntu.com/en/source/bionic/krb5>. I also looked through Ubuntu Changelog <http://changelogs.ubuntu.com/changelogs/pool/main/k/krb5/krb5_1.16-2ubuntu0.2/changelog> and Debian Changelog <https://metadata.ftp-master.debian.org/changelogs//main/k/krb5/krb5_1.18.3-4_changelog> for the krb5 package - there is the same record in both of them about the 1.16-2 version of krb5 ( Sat, 20 Jan 2018 11:02:57). And right after that in Debian Changelog 1.16.1-1 version appeared while in Ubuntu Changelog the next version for krb5 is 1.16-2build1. I might just assume that this can be some minor point with copying the krb5 version for Debian to Ubuntu vulnerability data. Howbeit, how should I interpret information from the CVE-2018-5710 page <https://ubuntu.com/security/CVE-2018-5710>? I have krb5-1.16-2ubuntu0.2 on my PC and it is vulnerable as its version is less than 1.16.1-1? But my version is actual. With appreciation, -- Andrey Nikonov, Security engineer, "Frodex" Ltd. Ufa, Russia. пн, 22 мар. 2021 г. в 21:41, Sam Hartman <[email protected]>: > This doesn't sound like a Debian issue. > It sounds more like a disagreement between your source of vulnerability > information and Ubuntu about when a problem is fixed (or whether it > was). > I also don't see CVE-2018-5710 as a vulnerability that upstream lists as > fixed in their git history. > > I would not want to take on the liability of making a comment about > whether a particular issue is fixed in a particular package version in > Ubuntu unless I prepared that version. > > --Sam > -- с уважением, Андрей Никонов.
-- Ubuntu-devel-discuss mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
