I have a feeling I'm about to embarrass myself by displaying either ignorance or a failure to spot the obvious, but here goes...
The other day there was a Debian security advisory about the flex package. In my Debian machines, the fix can be installed by the usual apt commands. However I also have Linux machines that don't use a package management system, and there I also have a version of flex with the vulnerability, so I wanted to get the source tarball of the fixed version (v2.6.1) so I could build it for there too. And the only place I can find 2.6.1 is on debian's package website. The latest version the upstream site (source forge) has is v2.6.0 which as I understand it has the vulnerability. Anyone know what the deal is here? Mark
