Hi Raphael, CVE-2011-3923 seems to be a Struts vulnerability, why is it assigned to Spring? Emmanuel Bourg PS: pkg-java-maintainers at lists.alioth.debian.org is mainly a notification list, most of the Java maintainers do not read it. I suggest posting your update requests to debian-java at lists.debian.org instead.