Ubuntu
pykerberos package

  1. Bug #1716429
  2. Comment #5

Comment 5 for bug 1716429

Revision history for this message
Mathieu Lafon (mlafon) wrote :

Hello Simon,

On which patch do you expect me to add DEP-3 header? Is it the debdiff or the included patch (Add-KDC-authenticity-verification-support-CVE-2015-3206.patch)?

Regarding upstream, the patch has been included in 1.1.6 and updated in 1.1.10 regarding the 'verify' option (should have been optional but it was not the case in the first patch).

Ref:
* https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
* https://github.com/02strich/pykerberos/commit/5867201f1b9c682402aa9b495a654b8f346c8784

Regarding the ubuntu versions:
* precise: based on 1.1+svn4895, patch included
* trusty: based on 1.1+svn10616, patch *not* included
* vivid: based on 1.1.5, patch *not* included
* xenial: based on 1.1.5, patch included (updated with second fix)
* zesty: based on 1.1.5, patch included (updated with second fix)
* artful: based on 1.1.5, patch included (updated with second fix)

So only trusty and vivid lack the security patch. I don't know if there's a need to patch vivid as it has already reached EOL.