[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 3817-1] jbig2dec security update

On 24/03/17 22:32, Moritz Muehlenhoff wrote:
> -------------------------------------------------------------------------
> Debian Security Advisory DSA-3817-1                   security@debian.org
> https://www.debian.org/security/                       Moritz Muehlenhoff
> March 24, 2017                        https://www.debian.org/security/faq
> -------------------------------------------------------------------------
> Package        : jbig2dec
> CVE ID         : CVE-2016-9601
> Multiple security issues have been found in the JBIG2 decoder library,
> which may lead to lead to denial of service or the execution of arbitrary
> code if a malformed image file (usually embedded in a PDF document) is
> opened.
> For the stable distribution (jessie), this problem has been fixed in
> version 0.13-4~deb8u1.

Hi Security, Release folks,

This security update is in the form of a new upstream release, going
from 0.11+20120125-1 in stable to 0.13-4~deb8u1. I was rather alarmed to
find the following entry in the NEWS.Debian file that appears to pertain
to this update:

> jbig2dec (0.12-1) unstable; urgency=medium
>   * Licensing has changed to GNU Affero General Public License (AGPL).
>     Please ensure that all use complies with this new license.
>  -- Jonas Smedegaard <dr@jones.dk>  Fri, 31 Jul 2015 11:45:03 +0200

Was this expected? Has any thought been paid to people who use
libjbig2dec in jessie currently that may fall foul of this license change?


Chris Boot
GPG: 8467 53CB 1921 3142 C56D  C918 F5C8 3C05 D9CE EEEE

Reply to: