1. Thanks for the patch and announcement today : SUSE-SA:2006:008 2. There seems to have been a co-ordinated disclosure and release of patches for CVE-2006-0225 on January 25. Why did SuSE (and Debian) not participate in that? Did the other vendors choose not to co-ordinate with SuSE (and Debian) ? 3. I have now avidly read the majorr reports of CVE-2006-0225, most of whom classify it as low priority, and all classify as local. It seems to me, from the reports I read, that it is a local privilege escalation that allows an authenticated scp user to execute arbitrary shell commands, even if they have scp-only privileges. I am not in any way a skilled penetration tester - so I have to make a judgement based on what I read. Have I misunderstood the other reports, or have the other reports got it right, or have SuSE discovered something new that makes it indeed a *remote* vulnerability? David