Just for the record: before packaging this update, we will need to investigate the issue much further.
In particular, it seems likely that there are more undocumented but public security issues in Calibre. See for example bug #853004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853004 But there may be more. A. -- A lot of people never use their initiative because no-one told them to. - Bansky