Is this security bug still open, after more than six years? Yes, but it doesn't belong in the Debian BTS. It would be nice if someone could file all these bug reports into the proper place, http://sv.gnu.org/p/hurd.