Andrew Reid writes: > Will there be an "etch" security patch for this for amd64? The daemon > runs as root, so there's a potential exploit opportunity, and even if > there weren't, it's a possible DOS attack. It's a DoS attack really more than an exploit (sign extension bugs on internal calls that don't use user-supplied data, which I believe is a correct characterization of this problem, are unlikely to be exploitable), and I don't think the Debian security folks will consider it worth an advisory. I will, however, check with the stable release managers about uploading a fixed package for the next stable point release. Ken, I assume from the previous bug discussion that this was already fixed in 1.6? It looks like that file now includes k5-int.h and k5-int.h now includes time.h. -- Russ Allbery (rra@debian.org)