Re: [SECURITY] [DSA 3817-1] jbig2dec security update
On 24/03/17 22:32, Moritz Muehlenhoff wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-3817-1 security@debian.org
> https://www.debian.org/security/ Moritz Muehlenhoff
> March 24, 2017 https://www.debian.org/security/faq
> -------------------------------------------------------------------------
>
> Package : jbig2dec
> CVE ID : CVE-2016-9601
>
> Multiple security issues have been found in the JBIG2 decoder library,
> which may lead to lead to denial of service or the execution of arbitrary
> code if a malformed image file (usually embedded in a PDF document) is
> opened.
>
> For the stable distribution (jessie), this problem has been fixed in
> version 0.13-4~deb8u1.
Hi Security, Release folks,
This security update is in the form of a new upstream release, going
from 0.11+20120125-1 in stable to 0.13-4~deb8u1. I was rather alarmed to
find the following entry in the NEWS.Debian file that appears to pertain
to this update:
> jbig2dec (0.12-1) unstable; urgency=medium
>
> * Licensing has changed to GNU Affero General Public License (AGPL).
> Please ensure that all use complies with this new license.
>
> -- Jonas Smedegaard <dr@jones.dk> Fri, 31 Jul 2015 11:45:03 +0200
Was this expected? Has any thought been paid to people who use
libjbig2dec in jessie currently that may fall foul of this license change?
Thanks,
Chris
--
Chris Boot
bootc@debian.org
GPG: 8467 53CB 1921 3142 C56D C918 F5C8 3C05 D9CE EEEE
Reply to: