Hi, It seems like that puppet package in lenny is not patched against CVE-2010-0156. According to secunia, there is also a local privileges escalation (http://secunia.com/advisories/36967/) I don't really the time to investigate and check if lenny version is really vulnerable but considering the latest entry in puppet's Changelog I assume that no change has been done since early 2009. Best regards, Didier