Hello, I started to work on fixing jbig2dec/wheezy for https://security-tracker.debian.org/tracker/CVE-2016-9601 but the patch that allegedly fixes the current issue is rather invasive and while looking at the git history you will quickly see that allmost all the changes since the version that we have in wheezy and jessie are potential security issues that were never assigned any CVE: http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog
- Many CERT reported issues - Many fuzzing related bugs - Many valgrind errors - Many heap overflow/underflow Thus I wonder if the proper approach is not to update the version that we have in wheezy/jessie to be in sync with what's in stretch/sid. The number of reverse dependencies is rather low and we should be able to ensure that they are still working as expected. I can only do that in wheezy if we also do it in jessie, so I seek the input of the security team as well. I can prepare the update for both suites. Let me know your thoughts. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
