enterprise-support team mailing list archive

[Jani Flaaming <1893728@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Information in shows that krb5 versions before 1.17 are vulnerable to CVE-2018-20217.
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html

Based on Debian bug report, this is already fixed in 1.16.2 version:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387

Ubuntu 20.04 LTS (Focal Fossa) includes version krb5 1.17.6:
https://launchpad.net/ubuntu/focal/+source/krb5

Ubuntu CVE Tracker page shows that Ubuntu 20.04 LTS (Focal Fossa) doesn't have a package where CVE-2018-20217 is fixed.
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html

Steps to reproduce:
This was found when examining AWS Elastic Container Registry Vulnerability scanning results for a Docker image based on latest Ubuntu 20.04: Here is the complete line from the report:
krb5:1.17-6ubuntu4 MEDIUM A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

It can be seen from the scan that the Docker image included krb5
bversion 1.17-6.

Expected:
No vulnerability finding.

Actual:
krb5 bversion 1.17-6ubuntu4 is reported as vulnerable to CVE-2018-20217.

** Affects: krb5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to krb5 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1893728

Title:
  Ubuntu CVE Tracker krb5 1.17-6ubuntu4 CVE-2018-20217 false positive

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1893728/+subscriptions