On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote: > THis patch upgrades heimdal to its latest version, fixing > CVE-2017-11103. Here are a few remarks: Thanks! We also need to look at our samba package, which bundles heimdal (we should fix that). > 1. Upstream switches to github for hosting Okay. > 2. A lots of libraries are bundled Which directory are they in? We should take a look at them and weigh the risk of adding new vulnerabilities through the use of (possibly old and unmaintained) bundled libraries. If things look complicated, maybe it's possible to apply a patch to this older Heimdal while we figure everything out. Maybe we can find a patch for CVE-2017-11103 from Red Hat or another long-term-support distro. I noticed an unrelated patch for Heimdal 1.6 here: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a > 3. Many db tests fail Do you think they are a problem in practice? Ludovic, you added Heimdal, what do you think about this big version bump? > 4. It does not build reproducibly Not great but also not a blocker. > From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001 > From: Alex Vong > Date: Tue, 18 Jul 2017 06:36:48 +0800 > Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103]. > > * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0. > [source]: Update source uri. > [arguments]: Adjust #:configure-flags and build phases accordingly. > [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo. > #:phases (modify-phases %standard-phases > + (add-after 'unpack 'pre-build > + (lambda _ > + (for-each (lambda (file) ;fix sh paths > + (substitute* file > + (("/bin/sh") > + (which "sh")))) > + '("appl/afsutil/pagsh.c" "tools/Makefile.am")) Do we re-bootstrap because we edit Makefile.am? Is it possible to edit the generated Makefile directly?