On Sun, 15 Feb 2015 08:16:35 -0500, Vin Shelton wrote: > The vcdiff change comes from emacs and is GPLv3 and cannot be added to > 21.4's GPLv2 codebase. Does the 21.4 code have any mitigation for CVE-2008-1694 without that patch? And would you consider CVE-2009-2688 fixed in the 21.4 codebase? Are the Gentoo patches just belts-and-suspenders over what 21.4 implements? (The xemacs tracker entry is private, which is funny since there's documentation from a dozen Linux distributions...) Cheerio, hauke -- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-3281