Ubuntu CVE Tracker krb5 1.17-6ubuntu4 CVE-2018-20217 false positive
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| Ubuntu CVE Tracker |
Fix Released
|
Undecided
|
Unassigned | |||
| krb5 (Ubuntu) | ||||||
| Focal |
Invalid
|
Undecided
|
Unassigned | |||
Bug Description
Information in shows that krb5 versions before 1.17 are vulnerable to CVE-2018-20217.
https:/
Based on Debian bug report, this is already fixed in 1.16.2 version:
https:/
Ubuntu 20.04 LTS (Focal Fossa) includes version krb5 1.17.6:
https:/
Ubuntu CVE Tracker page shows that Ubuntu 20.04 LTS (Focal Fossa) doesn't have a package where CVE-2018-20217 is fixed.
https:/
Steps to reproduce:
This was found when examining AWS Elastic Container Registry Vulnerability scanning results for a Docker image based on latest Ubuntu 20.04: Here is the complete line from the report:
krb5:1.17-6ubuntu4 MEDIUM A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
It can be seen from the scan that the Docker image included krb5 bversion 1.17-6.
Expected:
No vulnerability finding.
Actual:
krb5 bversion 1.17-6ubuntu4 is reported as vulnerable to CVE-2018-20217.
| Changed in krb5 (Ubuntu): | |
| status: | New → Fix Released |
| Alex Murray (alexmurray) wrote | #1 |
| no longer affects: | krb5 (Ubuntu) |
| no longer affects: | krb5 (Ubuntu Bionic) |
| Changed in krb5 (Ubuntu Focal): | |
| status: | New → Invalid |
| Changed in ubuntu-cve-tracker: | |
| status: | New → Fix Released |
This was fixed in the https:/