Comment 8 for bug 1104425

Actually, it would appear the version in Lucid isn't affected by this flaw. The vulnerability seems to originate from this debian-specific patch:

cfingerd (1.4.3-3) unstable; urgency=low
   * Applied IPv6 patch from Mats Erik Andersson
     <email address hidden> (closes: Bug#570024)