Beat the disclosure on NVE, too: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2713 Canonical seems to be the source of the discovery, so Debian patches for pony aren't available yet.