Hi, tl;dr: CVE-2018-21245 is actually CVE-2016-10711.
I've just stumbled over https://security-tracker.debian.org/tracker/CVE-2018-21245 concering the package "pound", where the notes say: > https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html > check, unclear exact scope and if fixed with the same fixes as > CVE-2016-10711 The upstream release announcement pointed to with the URL refers to CVE-2016-10711. The fixes for CVE-2016-10711 used in Debian and elsewhere are actually a backport of the security relevant changes between pound 2.7 and 2.8a (pre-release of 2.8). From 2.8a to 2.8 there was only a small change. See https://salsa.debian.org/debian/pound/-/commits/upstream for upstream change details. Hope this helps, Carsten
