For the record, I have heard about this about two weeks ago and uploaded Debian etch/lenny updates to the Debian security queue. The TIFF patch (which you fixed here) is trivial and obvious, so we should either get it into jaunty, or do a jaunty-security update immediately after.
I absolutely agree about not getting upstream 1.3.10 with the DNS rebinding patch, since this sounds dubious and regression prone.
For the record, I have heard about this about two weeks ago and uploaded Debian etch/lenny updates to the Debian security queue. The TIFF patch (which you fixed here) is trivial and obvious, so we should either get it into jaunty, or do a jaunty-security update immediately after.
I absolutely agree about not getting upstream 1.3.10 with the DNS rebinding patch, since this sounds dubious and regression prone.
Thanks for preparing the updates!