Hi Mathieu, When debian fixed this issue for Jessie and Wheezy (their stable releases), they left the default to off, in order to not break existing setups that aren't prepared to do validation of the KDC (as it requires possibly setting up an additional keytab). The update for Ubuntu 12.04 LTS included this default. I think this is the sensible thing to do for Ubuntu 14.04 LTS.
(See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796195 and in particular, the added NEWS entry in http://launchpadlibrarian.net/211063096/pykerberos_1.1+svn4895-1build2_1.1+svn4895-1+deb6u1build0.12.04.1.diff.gz for explanation.) I'm touching up your debdiff to do this (and include a similar NEWS entry), and will push this to trusty-security next week. Thanks. ** Bug watch added: Debian Bug tracker #796195 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796195 ** Changed in: pykerberos (Ubuntu Trusty) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs