I'm just sending this out as a 'request for comment' really -- I notice debian-stable has a package for squid which (besides being security-updated already) still has a known buffer overflow in it (although it is apparently of 'unknown risk').
See: http://www.squid-cache.org/Versions/v2/2.4/bugs/#squid-2.4.STABLE7-url_escape I reported this and was told that it was considered 'not important' and would be sorted out when other things had been sorted out... I wonder if this has been found to be really non-vulnerable or if debian policy doesn't normally allow things to be updated unless a vulnerability has been proved to really exist?? I'm confused and would like to know what others think! -enyc <[EMAIL PROTECTED]>
