On 24/03/17 22:32, Moritz Muehlenhoff wrote: > ------------------------------------------------------------------------- > Debian Security Advisory DSA-3817-1 secur...@debian.org > https://www.debian.org/security/ Moritz Muehlenhoff > March 24, 2017 https://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : jbig2dec > CVE ID : CVE-2016-9601 > > Multiple security issues have been found in the JBIG2 decoder library, > which may lead to lead to denial of service or the execution of arbitrary > code if a malformed image file (usually embedded in a PDF document) is > opened. > > For the stable distribution (jessie), this problem has been fixed in > version 0.13-4~deb8u1.
Hi Security, Release folks, This security update is in the form of a new upstream release, going from 0.11+20120125-1 in stable to 0.13-4~deb8u1. I was rather alarmed to find the following entry in the NEWS.Debian file that appears to pertain to this update: > jbig2dec (0.12-1) unstable; urgency=medium > > * Licensing has changed to GNU Affero General Public License (AGPL). > Please ensure that all use complies with this new license. > > -- Jonas Smedegaard <d...@jones.dk> Fri, 31 Jul 2015 11:45:03 +0200 Was this expected? Has any thought been paid to people who use libjbig2dec in jessie currently that may fall foul of this license change? Thanks, Chris -- Chris Boot bo...@debian.org GPG: 8467 53CB 1921 3142 C56D C918 F5C8 3C05 D9CE EEEE