Hello Simon, On which patch do you expect me to add DEP-3 header? Is it the debdiff or the included patch (Add-KDC-authenticity-verification-support- CVE-2015-3206.patch)?
Regarding upstream, the patch has been included in 1.1.6 and updated in 1.1.10 regarding the 'verify' option (should have been optional but it was not the case in the first patch). Ref: * https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c * https://github.com/02strich/pykerberos/commit/5867201f1b9c682402aa9b495a654b8f346c8784 Regarding the ubuntu versions: * precise: based on 1.1+svn4895, patch included * trusty: based on 1.1+svn10616, patch *not* included * vivid: based on 1.1.5, patch *not* included * xenial: based on 1.1.5, patch included (updated with second fix) * zesty: based on 1.1.5, patch included (updated with second fix) * artful: based on 1.1.5, patch included (updated with second fix) So only trusty and vivid lack the security patch. I don't know if there's a need to patch vivid as it has already reached EOL. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs