Control: notfound -1 sredird/2.1.0-1 Control: fixed -1 2.2.1-1.1
I see that CVE-2004-2386 and maybe CVE-2004-2387 was addressed with #267098. The diff (one change in LogMsg and one in HandleCPCCommand) that is in that bug has survived until now. But 2.2.2 has many more changes of the HandleCPCCommand kind: changing sprintf to snprintf. main: 2 changes. HandleIACCommand: 5 changes. HandleCPCCommand: 17 additional changes: Any of these cound be CVE-2004-2387 as well. HDBUnlockFile: 1 change. HDBLockFile: 7 changes. Plus TmpStrLen is extended to 512 bytes. Conclusion: Debian referenced both bugs as TEMP-0267098-76A1A1 before.

