The fix for CVE-2008-3222 in 5.8 was missing, so drupal issued 5.9.
Bumped to 5.9, removed 5.8. Unstable on all archs. webapps done.
thanks, closing without glsa.