According to debsecan on one of my Lenny boxes, CVE-2009-4411 can be fixed by upgrading: *** Available security updates CVE-2009-4411 The (1) setfacl and (2) getfacl commands in XFS acl... <http://security-tracker.debian.net/tracker/CVE-2009-4411> - libacl1 (low urgency) But when I try to upgrade the Lenny machine, there is no update available. Is the hole incorrectly classified? Happy hacking, -- Petter Reinholdtsen