Hello, I notice that the CVE id which was assigned to the arbitrary free() wasn't communicated to you by Tavis. It was assigned CVE-2009-0040. The Fedora updates will reference this ID, as I suspect will a number of other vendor-sec member update. Thanks. -- JB