Source: openjpeg2 Version: 2.1.0-2 Severity: grave Tags: security upstream patch Justification: user security hole Forwarded: https://github.com/uclouvain/openjpeg/issues/863 Control: fixed -1 2.1.0-2+deb8u2
Hi, the following vulnerabilities were published for openjpeg2. Filling it as RC severity, since Moritz's DSA for openjpeg2 will contain fixes for those two CVEs, and not having those fixed in stretch would imply a regression. CVE-2016-9572[0] and CVE-2016-9573[1]. There is an upstream issue at [2] with patch[3]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-9572 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9572 [1] https://security-tracker.debian.org/tracker/CVE-2016-9573 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573 [2] https://github.com/uclouvain/openjpeg/issues/863 [3] https://github.com/szukw000/openjpeg/commit/7b28bd2b723df6be09fe7791eba33147c1c47d0d Regards, Salvatore
