I've been a Debian developer for 7 years now, but this last week was the first time I've had to deal with a security bug severe enough to warrant a Debian Security Advisory: DSA 3540-1, for lhasa, the lzh archive decompressor.

If you use lhasa via the Debian package, please upgrade.

(Debian timeline duly updated)