Marc Deslauriers reported that the update for krb5 issued as DSA-3395-1 did not contain the patch to address CVE-2015-2697 for the packages built for the oldstable distribution . Updated packages are now available to address this issue. For reference, the relevant part of the original advisory text follows. CVE-2015-2697 It was discovered that the build_principal_va function incorrectly handles input strings. An authenticated attacker can take advantage of this flaw to cause a KDC to crash using a TGS request with a large realm field beginning with a null byte.