An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ansible NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666 NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable. NOTE: 20200506: (lamby) NOTE: 20200508: bam: Problem exists with new files only. Existing files NOTE: 20200508: bam: code resets permissions to same value, should be fine. NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970 NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- ark NOTE: 20200731: given PoC not working as intended. (abhijith) NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith) NOTE: 20200820: pinged upstream for help (abhijith) NOTE: 20200907: patch https://people.debian.org/~abhijith/upload/backport_to_1608.patch crashes (abhijith) NOTE: 20200921: CLI works but GUI not, It seems the fix is not compatible with the old architecture (abhijith) -- bluez (Chris Lamb) -- brotli (Roberto C. Sánchez) -- cacti NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) NOTE: 20200620: WIP (abhijith) NOTE: 20200629: Working on the patch (abhijith) NOTE: 20200701: Patch for CVE-2020-7237 should also be included for Stretch LTS. (utkarsh) NOTE: 20200726: partial fix https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch (abhijith) -- ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal (lamby) NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola) NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/ NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it). -- cimg (Thorsten Alteholz) NOTE: 20200709: Upstream patch is against a newer "load_network_external" NOTE: 20200709: method (vs "load_network") but is still missing the argument NOTE: 20200709: sanitisation. (lamby) NOTE: 20201005: checking whether reverse dependencies still build/work NOTE: 20201018: recovering from a broken computer :-( -- condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh) NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto) NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- dompurify.js NOTE: 20201013: Package only in stretch - needs investigation to identify patch. (lamby) -- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) -- firefox-esr (Emilio) -- fossil NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially applies, but does not apply around a NOTE: 20200903: database query in src/add.c. In fact, the patch fixing this CVE is quite invasive. Maybe decide NOTE: 20200903: not to fix it? -- freerdp -- golang-1.7 -- golang-1.8 -- golang-github-dgrijalva-jwt-go -- golang-golang-x-net-dev -- guacamole-server (Markus Koschany) NOTE: 20201010: Reported my findings to the maintainers and the NOTE: security team. Waiting for feedback. CVE is in guacamole-server not in NOTE: guacamole-client. Backporting the upstream patch seems viable. -- junit4 -- jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- kdeconnect -- lemonldap-ng NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) -- libonig (Markus Koschany) NOTE: 20201002: Fix for CVE-2020-26159 is too trivial. Besides that, please consider NOTE: 20201002: fixing other errors mentioned in https://github.com/kkos/oniguruma/issues/207 NOTE: 20201002: and the other 6/7 CVEs tagged as no-dsa in stretch but fixed in jessie. (utkarsh) -- libproxy (Emilio) NOTE: 20201012: patch not sanctioned upstream yet (Emilio) -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- mariadb-10.1 (Emilio) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith) NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith) -- open-build-service NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them. NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh) -- opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) -- php-horde-trean NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) -- phpmyadmin (Abhijith PA) -- pluxml NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith) -- python3.5 (Thorsten Alteholz) NOTE: 20201011: testing package NOTE: 20201018: recovering from a broken computer :-( -- qtsvg-opensource-src (Adrian Bunk) NOTE: 20201019: Tracking down build error (problem in my setup?). -- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private NOTE: 20200819: page_cache_file method suggests that the issue exists, as it NOTE: 20200819: uses the path without normalising any "../" etc., simply NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby) -- ruby-doorkeeper NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh) NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh) NOTE: 20200831: more investigation needed. (utkarsh) NOTE: 20201009: on another note, it needs more investigation if this version is affected in NOTE: 20201009: the first place or not. (utkarsh) -- ruby-kaminari NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the NOTE: 20200819: file has been refactored a few times). (lamby) NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh) NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh) NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- ruby-oauth -- samba NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) NOTE: 20200801: Stretch update already released, so no conflict. (roberto) NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, and CVE-2020-10740, are ready. (roberto) NOTE: 20200801: Best to wait for additional CVEs before uploading; check with Roberto for patches. (roberto) NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola). NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver) -- shiro NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) -- slirp NOTE: Upstream patch for CVE-2020-8608 requires patches for NOTE: CVE-2020-7039 to be applied patched first, as they both patch NOTE: the same lines of code in tcp_subr.c (bam). -- spice (Utkarsh) -- spice-gtk (Utkarsh) -- sympa NOTE: 20201007: I issued DLA-2401-1 to address overdue critical vulnerability. NOTE: 20201007: Lesser issues should pop up soon following work with upstream: NOTE: 20201007: https://github.com/sympa-community/sympa/issues/943 NOTE: 20201007: I also prepared and tested a CVE-2018-1000671 backport: NOTE: 20201007: https://www.beuc.net/tmp/debian-lts/sympa/ NOTE: 20201007: I won't have time to do more this month (Beuc) NOTE: 20201015: See #972189. (lamby) -- thunderbird (Emilio) NOTE: 20201017: build failure on armhf (Emilio) -- tinymce (abhijith) NOTE: 20201003: relevant commits are hard to chase down (abhijith) NOTE: 20201019: Working on it, CVE-2020-12648 not reproducible (abhijith) -- wireshark (Adrian Bunk) NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include NOTE: 20201007: those fixes as well! \o/ (utkarsh) -- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby) NOTE: 20200517: work is ongoing. (gladk) NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) -- zabbix NOTE: 20201014: Will require some in-depth investigation work. Upstream ticket remains locked since May, diffoscope of 5.0.1 to 5.0.2 is 44MB and contains approx 50 changes. (lamby) -- zeromq3 (Adrian Bunk) NOTE: 20201011: testing fixed package (bunk) --