I was eagerly awating the release of linux-2.6_2.6.32-48squeeze4 because it would fix #701744 (fallout from XSA-39: Linux netback DoS via malicious guest ring)
It turns out I should have read the bug report more closely.
#701744 was only about the xen-netback side of things.
I haven't been able to find a debian bug about the REAL bug - the xen-netfront gso overflow.