Hi there, It turns out there are three CVEs associated with DCMTK version older than 3.6.7. * https://www.hipaajournal.com/warning-issued-about-3-high-severity-vulnerabilities-in-offis-dicom-software/ Should we get in touch with debian-security to have them properly reported ? I am not clear about the process. Thanks,