Hello. What we should do when we miss to specify a CVE ID in a DLA/DSA ? Can we just normally insert in next advisory release.? For eg: DLA-478-1[1] released for squid3 on 16 May 2016 missed to mention 'CVE-2016-3948'. --abhijith [1] - https://lists.debian.org/debian-lts-announce/2016/05/msg00028.html