[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]

From: Alex Vong
Subject: [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
Date: Thu, 19 Oct 2017 22:57:12 +0800
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Ricardo Wurmus <address@hidden> writes:

> Hi Alex,
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <address@hidden>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/ (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>> I'm leaving this bug open for now so we can discuss the update.
> As mentioned before, the new release bundles a bunch of third party
> libraries.  It is not clear to me if *all* things under “lib” are
> external libraries or if some of them are part of the source code of
> heimdal.
No, I don't think so. At least the heimdal/ subdirectory[0] should
contain non-third-party code.

> Can we learn from the Debian package for heimdal here?
Good suggestion, I think the Build-Depends field in [1] will help. For
exmaples, we should not use the bundled sqlite.

> I think we really ought to update from the very old version we are using
> currently.
Agree, our version is even older than the one in Debian old stable.

> --
> Ricardo
> GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]