On Sun, 08 May 2016, Craig Small wrote: > The changelog for 4.5.2+dfsg-1 mentions it fixes a XSS attack, > 4.5.2+dfsg-1~bpo8-1 is the backport of that same package. Is that enough, > or you want the bpo change to mention its a security release? Yes. And don't forget http://backports.debian.org/Contribute/#index3h2 Alex