FTR, I did a small analysis, and that's for sure that CVE-2019-12214 relates to code from openjpeg: Looking at the content of folder "LibOpenJpeg" in freeimage 'source code show exactly the same files as in https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2
However, since freeimage copies those files into its source tree rather than relying on shared libraries, it should probably still be listed as a "CPE affected software configuration" for this CVE... BTW, while freeimage might be dead, libopenjpeg is still alive BR, Cyrille
