I released 1.7+dfsg-3 to Debian unstable. That includes a fix to this bug. I'd recommend that Ubuntu sync that version into a karmic update once it hits squeeze in order to address this issue. The code changes between what's in karmic now and 1.7+dfsg-3 are all reasonably important bug fixes including a number of user visible memory leak fixes, fixes to the lockout problem and fixes to some rare crashes. There were no code changes between 1.7 beta3 and 1.7; I have hand picked patches that resolve important problems people were having for any code changes since the version in karmic. I understand you try to be conservative about what you accept in an update, although I think it will probably be easier to evaluate the debian diff than to subset the changes I've made. I've tried to show what all is involved below so you can estimate whether my proposal is a viable option. Specific patches are all in the debian krb5 git repo if you do want to subset. The diffs to the code are reasonably small and address specific bug fixes: 2 3 src/appl/gssftp/ftpd/ftpd.c 7 0 src/lib/gssapi/spnego/spnego_mech.c 17 13 src/lib/kadm5/srv/server_acl.c 16 25 src/lib/kdb/kdb_default.c 1 1 src/lib/krb5/krb/chpw.c 1 2 src/lib/krb5/krb/get_in_tkt.c 1 1 src/lib/krb5/krb/kerrs.c 3 1 src/lib/krb5/krb/pac.c 2 0 src/lib/krb5/krb/t_pac.c 8 2 src/lib/krb5/rcache/rc_none.c 3 3 src/patchlevel.h 7 0 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 14 14 src/util/profile/prof_file.c 3 0 src/util/profile/prof_int.h 2 7 src/util/profile/prof_tree.c Here are the fixes that involve code changes: * Several fixes applied after the 1.7 release: - 6506: correctly handle keytab vs stash file - 6508: kadmind ACL parsing could reference uninitialized memory - 6509: kadmind can reference null pointer on ACL error - 6511: uninitialized memory passed to krb5_free_error in change password client path - 6514: none replay cache memory leak - 6515: profile library mutex performance improvements - 6541: memory leak in PAC verify code - 6542: Check for null characters in pkinit certs - 6543: login vs user order in ftpd sometimes wrong - 6551: Memory leak in spnego accept_sec_context error path * Avoid locking out accounts on PREAUTH_FAILED, Closes: #557979, (LP: #489418) If you do not choose to accept the full Debian version, I strongly recommend you take at least the fix to the lockout bug, 6543 (can cause people to be unable to log into ftpd), 6542 (security concern about accepting bogus certificates for authentication), and all the memory leaks. In addition to the code changes, this version includes: * autoconf was rerun as part of transition from 1.7beta3 to 1.7 9 9 src/appl/libpty/configure 9 9 src/appl/telnet/configure 10 10 src/configure 9 9 src/appl/bsd/configure 9 9 src/appl/gssftp/configure The following documentation updates were pulled in moving from 1.7.dfsg~beta3 to 1.7. You probably don't strictly need these, but it should be fairly easy to see they are harmless. 77 25 README 22 3 doc/CHANGES 1021 939 doc/admin-guide.ps 83 2 doc/copyright.texinfo 873 792 doc/install-guide.ps 65 2 doc/krb5-admin.html 165 105 doc/krb5-admin.info 65 2 doc/krb5-install.html 152 92 doc/krb5-install.info 65 2 doc/krb5-user.html 98 38 doc/krb5-user.info 882 801 doc/user-guide.ps In addition, the following packaging changes were made: 42 0 debian/changelog 2 2 debian/control # fix LP #472080 3 4 debian/prepsource # my script not called by build process 1 1 debian/rules # work around change in dh_makeshlibs 1 1 debian/watch #new URI for upstream sources