http://seclists.org/lists/fulldisclosure/2005/Oct/0218.html
This listing is against the version in Debian stable, which is 1.2.3. Currently I have packaged 1.2.4. I'm not even sure this bug affects the version currently in FE. The cve.mitre.org listing says it's under review and currently displays no usefull information. I'll accept any suggestions. :)
Created attachment 119815 [details] Fix extracted from Debian's Sarge update Seems to be an issue in 1.2.4, too.
Fixed in 1.2.4-4.*