[Cc-ing Greg Roelofs, who owns and maintains libpng.org] On Wed, Dec 3, 2025 at 11:09 PM Alan Coopersmith < [email protected]> wrote:
> Does this bug (and the recent bugs fixed in 1.6.51) not affect the older > branches of libpng, or is the statement that "libpng 1.2.x continues to get > security fixes, as has 1.0.x for well over a decade" on > https://libpng.org/pub/png/libpng.html no longer correct? The good news is this: neither this bug nor the ones in the previous v1.6.51 release affect those ancient libpng releases. What these bugs DO affect is a thing called "the simplified libpng API", which was added in libpng-1.6.0. The bad news is this: > https://libpng.org/pub/png/libpng.html I have seen that page a thousand times, and... yet... OOPSIE!! > Is the statement on https://libpng.sourceforge.io/index.html that the older > branches "ARE NO LONGER UPDATED" and were frozen in 2017 the correct one now? Yes, that is correct. Sincerely, Cosmin
