Also: Why did Debian apply patches to a service that runs as root (when those patches have been rected upstream) for a second time after such behavior has already led to a widely known vulnerability in Debian.