Fortunately, this is only in the 2.3 series: http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2006-05/msg00530.html 2.1.* and 2.2.* don't have the option popsubfolders and doesn't seem to be affected by the vulnerability. -> Current Debian packages not affected. Regards, Sven