Ricardo Wurmus writes: > Hi Alex, > >> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote: >>> Here is the updated patch: >>> >>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001 >>> From: Alex Vong >>> Date: Wed, 19 Jul 2017 17:01:47 +0800 >>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}. >>> >>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch, >>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. >>> * gnu/local.mk (dist_patch_DATA): Add them. >>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them. >> >> Thanks! I recreated the commit since the patch no longer applied to >> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531. >> >> I'm leaving this bug open for now so we can discuss the update. > > As mentioned before, the new release bundles a bunch of third party > libraries. It is not clear to me if *all* things under “lib” are > external libraries or if some of them are part of the source code of > heimdal. > No, I don't think so. At least the heimdal/ subdirectory[0] should contain non-third-party code. > Can we learn from the Debian package for heimdal here? > Good suggestion, I think the Build-Depends field in [1] will help. For exmaples, we should not use the bundled sqlite. > I think we really ought to update from the very old version we are using > currently. > Agree, our version is even older than the one in Debian old stable. > -- > Ricardo > > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > https://elephly.net [0]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/lib. [1]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/debian/control