The dependency libjpeg 9b has critical CVEs

[blzheng]

🐛 Bug

The version of the dependency libjpeg is pinned to <= 9b (#3787), but libjpeg 9b has critical CVEs listed below. All those issues are related to out-of-bound memory access with may cause unexpected application behavior. However, these issues are fixed in libjpeg 9d.

CVE-2020-14152
CVE-2020-14153

So do you have the plan to remove libjpeg pinning to enable users to use libjpeg 9d?

[fmassa]

Hi,

We've unpinned the libjpeg version in #4288

Does this fix the issue you mentioned?