Hi Alex, > On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote: >> Here is the updated patch: >> >> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001 >> From: Alex Vong >> Date: Wed, 19 Jul 2017 17:01:47 +0800 >> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}. >> >> * gnu/packages/patches/heimdal-CVE-2017-6594.patch, >> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files. >> * gnu/local.mk (dist_patch_DATA): Add them. >> * gnu/packages/kerberos.scm (heimdal)[source]: Use them. > > Thanks! I recreated the commit since the patch no longer applied to > 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531. > > I'm leaving this bug open for now so we can discuss the update. As mentioned before, the new release bundles a bunch of third party libraries. It is not clear to me if *all* things under “lib” are external libraries or if some of them are part of the source code of heimdal. Can we learn from the Debian package for heimdal here? I think we really ought to update from the very old version we are using currently. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net