Comment 14 for bug 331410

Ah-ha, I see the problem now. This vulnerability was introduced after all the versions of net-snmp that were in the archive at the time the CVE was published. At some point Debian packaged the 5.4.x series from a point that did not include the fix, which is why only Lucid and later have the problem.