Hi Salvatore, According to Pacemaker upstream, they sent forward notice about this vulnerability to the Debian Security Team a couple of weeks before the disclosure. Did you get it? I'm the primary maintainer of the pacemaker package in Debian, but I only learnt about the issue from the bug report you opened right after the disclosure. It was no big deal and stable wasn't affected, but I still wonder how these channels work. Could you please provide some insight? -- Thanks, Feri
