Thank you for your help! On Sat, 13 Apr 2024 at 09:56, Cyrille <cyri...@bollu.be> wrote: > > I don’t know anything about your procedures, but I don’t see why we wouldn’t… > > I would also contact NIST (or whoever is in charge of the CVE database; I > can’t remember by heart who it is) to let them know this, so they update the > CVE’s vulnerable configurations. I’ll try to do that next week, but I will > probably first have to find out which exact versions of openjpeg2 have been > affected (which will probably be quite difficult for me) > > Nice week-end > > Cyrille > > > Le 13 avr. 2024 à 00:22, Ola Lundqvist <o...@inguza.com> a écrit : > > > > Hi Cyrille > > > >> On Fri, 12 Apr 2024 at 16:32, Cyrille Bollu <cyri...@bollu.be> wrote: > >> > >> Hi Ola, > >> > >> Thank you for your help. > >> > >> So, IIUC: > >> > >> 1. CVE-2019-12214 shouldn't be assigned to freeimage in Debian Buster; > >> 2. CVE-2019-12214 might be assigned to source package openjpeg2 or > >> openjpeg (the later doesn't seem to be available in Buster though) > > > > Yes, potentially so. At least if I understand the email from Santiago > > correctly. > > > > freeimage build depends on libopenjp2-7-dev which is built from > > openjpeg2 so in buster it is openjpeg2 where it should belong. > > > > But I do not know whether we typically re-assign things like this or > > not so I do not want to give advice for this. Better if someone else > > who knows the practice answers this. > > > > // Ola > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > | o...@inguza.com o...@debian.org | > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > ---------------------------------------------------------------
-- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
