Heya! Long time no see.

I’ve just made an advisory about CVE-2013-1436. It was quite interesting to discover and exploit. A patch with a fix is already available. If you use xmonad along with xmobar or dzen, you should patch and re-compile your xmonad binary as soon as posible, or you’ll be exposed to a remote command injection vulnerability.

I would like to thank Joachim Breitner and the Debian Security Team for their help in disclosing this issue.