* Florian Weimer: >> If I add cupsys to the removed-packages file is an >> additional <removed> tag in CVE/list still needed? > > Yes, otherwise the issue is not marked as unfixed for etch et al. There seems to have been a misunderstanding: It is not necessary (and even wrong) to change the version numbers on historic entries. You only should use <removed> for new vulnerabilities.