diff --git a/source.dif b/source.dif
index 813e669..f12f8d6 100644
--- a/source.dif
+++ b/source.dif
@@ -634,7 +634,15 @@
  %
  % For reference, here is the old brace-using definition:
  %TEXMFCNF = {$SELFAUTOLOC,$SELFAUTODIR,$SELFAUTOPARENT}{,{/share,}/texmf{-local,}/web2c}
-@@ -791,3 +792,33 @@ max_cols.gftype = 8191
+@@ -568,7 +569,6 @@ extractbb,\
+ gregorio,\
+ kpsewhich,\
+ makeindex,\
+-mpost,\
+ repstopdf,\
+ 
+ % we'd like to allow:
+@@ -791,3 +791,33 @@ max_cols.gftype = 8191
  % Guess input encoding (SJIS vs. Unicode, etc.) in pTeX and friends?
  % Default is 0, to not guess.
  guess_input_kanji_encoding = 1
diff --git a/texlive.changes b/texlive.changes
index 020a130..f996c18 100644
--- a/texlive.changes
+++ b/texlive.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Mar  8 12:02:02 UTC 2017 - werner@suse.de
+
+- Modify patch kpathsea_cnf.dif to remove mpost from the allowed
+  shell escaping commands (bsc#1028271, CVE-2016-10243)
+
 -------------------------------------------------------------------
 Tue Dec  6 16:57:18 UTC 2016 - werner@suse.de
 
diff --git a/texlive.spec b/texlive.spec
index fb0d9cf..a2f2ce0 100644
--- a/texlive.spec
+++ b/texlive.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package texlive
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed