Isn't it CAN-2003-0689? (I have not seen that fixed in libc6's changelog.Debian.gz.) The CAN itself states that versions 2.2.4 and older are affected, but eg. http://www.securityfocus.com/bid/8477 says that even 2.2.5 in Woody is affected. So may it be right, or is this something else? norbi