There is two different CVE IDs given to amarok's vulnerabilities: CVE-2009-0135 [1] CVE-2009-0136 [2] I beleive this DSA [3] is for the first CVE. Is there a need to patch the second one and if yes - what is the status of that process? 1: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0135 2: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0136 3: http://lists.debian.org/debian-security-announce/2009/msg00013.html --- Henri Salo