Juan Gallego wrote: > is sarge affected by this vulnerability? or has sarge been archived and i > missed the announcement? The main attack vector - pygrub/xen - doesn't exist in Sarge. The other attacks are more or less theoretical and hardly justify modifications to an important core package like this. Cheers, Moritz