The recent update of jasperreports apparently fixed CVE-2017-5528 and
CVE-2017-5529. There are still three CVE which are not addressed yet. The
advisory for CVE-2017-5532 mentions that the solution is to upgrade to
version 6.3.3 or 6.4.2. It is not clear to me whether the Debian
package is actually affected by CVE-2017-5533 or CVE-2017-14941 due to
lack of information.
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.