1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
|
An LTS security update is needed for the following source packages.
To add a new entry, please coordinate with this week's Front-Desk
person, and use the 'package-operations' LTS tool.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
When checking what packages to work on, use:
$ ./find-work
from the LTS admin repository, to sort packages by priority and
display important notes about the package (special attention, VCS,
testing procedures, programming language, etc.).
To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
amanda
NOTE: 20230730: Added by Front-Desk (apo)
--
audiofile
NOTE: 20230918: Added by Front-Desk (apo)
NOTE: 20230919: unfixed upstream (apo)
--
bind9 (Thorsten Alteholz)
NOTE: 20230921: Added by Front-Desk (apo)
NOTE: 20231008: backporting patches
NOTE: 20231023: testing package
--
cacti (guilhem)
NOTE: 20230906: Added by Front-Desk (lamby)
--
cairosvg
NOTE: 20230323: Added by Front-Desk (gladk)
NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)
--
cinder
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
docker.io (rouca/santiago)
NOTE: 20230303: Added by Front-Desk (Beuc)
NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
NOTE: 20230424: Is in preparation. (gladk)
NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html
NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version)
--
dogecoin
NOTE: 20230619: Added by Front-Desk (Beuc)
NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream,
NOTE: 20230619: I suggest pinging/coordinating with upstream to know the current status;
NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
--
flatpak
NOTE: 20231006: Added by Front-Desk (Beuc)
NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
--
freeimage (gladk)
NOTE: 20230826: Added by Front-Desk (utkarsh)
NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the
NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll
NOTE: 20230826: out the DLA/ELA now. (utkarsh)
--
freerdp2 (tobi)
NOTE: 20230924: Added by Front-Desk (apo)
NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up.
NOTE: 20231023: Will continue working on package next weekend. (tobi)
--
h2o (gladk)
NOTE: 20231013: Added by Front-Desk (ta)
--
i2p
NOTE: 20230809: Added by Front-Desk (Beuc)
NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28
--
imagemagick
NOTE: 20230622: Added by Front-Desk (Beuc)
NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk)
NOTE: 20231014: Some work under git branch debian/buster but unease
--
jetty9 (Markus Koschany)
NOTE: 20231011: Added by Front-Desk (ta)
--
libreswan
NOTE: 20230817: Added by Front-Desk (ta)
NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
NOTE: 20230909: https://salsa.debian.org/lts-team/packages/libreswan.git on the experimental
NOTE: 20230909: branch. Upstream patch for CVE-2023-38710 does not apply at
NOTE: 20230909: all due to code refactoring. I intend to package the version
NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo)
--
libspf2 (Thorsten Alteholz)
NOTE: 20231016: Added by Front-Desk (ta)
--
linux (Ben Hutchings)
NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
--
linux-5.10
NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
--
mediawiki (guilhem)
NOTE: 20231011: Added by Front-Desk (ta)
--
mosquitto
NOTE: 20230924: Added by Front-Desk (apo)
NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo)
--
node-webpack
NOTE: 20231005: Added by Front-Desk (Beuc)
NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk)
--
nova
NOTE: 20230302: Re-add, request by maintainer (Beuc)
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default).
NOTE: 20230302: Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo)
NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected.
NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely.
NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby)
--
nss (Sean Whitton)
NOTE: 20231015: Added by Front-Desk (ta)
NOTE: 20231027: Patches backported. New tests for CVE-2020-25648 do not pass.
NOTE: 20231027: Asked upstream dev-tech-crypto ML (spwhitton).
--
nvidia-cuda-toolkit
NOTE: 20230514: Added by Front-Desk (utkarsh)
NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
NOTE: 20230514: piled up. (utkarsh)
NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
--
opendkim
NOTE: 20230821: Added by Front-Desk (ta)
NOTE: 20231006: Unfixed upstream as of today. (spwhitton)
--
openjdk-11 (Emilio)
NOTE: 20231019: Added by pochu
--
osslsigncode
NOTE: 20230925: Added by Front-Desk (apo)
NOTE: 20230925: Maybe a new upstream release should just do the trick here.
--
phppgadmin (Chris Lamb)
NOTE: 20230925: Added by Front-Desk (apo)
--
pmix (Chris Lamb)
NOTE: 20231024: Added by Front-Desk (gladk)
--
python-django (Chris Lamb)
NOTE: 20231006: Added by Front-Desk (Beuc)
NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk)
NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby)
NOTE: 20231020: Also now vulnerable to CVE-2023-43665. (lamby)
--
python-glance-store
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
NOTE: 20230705: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store (jspricke)
NOTE: 20230705: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. (jspricke)
--
python-os-brick
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
rails
NOTE: 20220909: Re-added due to regression (abhijith)
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
NOTE: 20221024: to break thrice in less than 2 month.
NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
--
request-tracker4
NOTE: 20231024: Added by Front-Desk (gladk)
NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d
NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb
NOTE: 20231025: Andrew Ruthven is working on the buster-security upload, but will let the LTS handle the paperwork
NOTE: 20231028: Andrew has provided the buster patch, it has been posted to the team mailing list (Message-ID: <ZT0Eo_5cWuoItmph@connexer.com>)
--
ring
NOTE: 20230903: Added by Front-Desk (gladk)
NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
--
salt
NOTE: 20220814: Added by Front-Desk (gladk)
NOTE: 20220814: I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer version. (Anton)
NOTE: 20230720: Backport to at least 3002.9 in order to fix protocol flaws between client/server
NOTE: 20230720: Users will need need both update client and server synchronously (flag day).
NOTE: 20230720: Unfortunatly upgrading will need to update some configuration file
NOTE: 20230720: https://docs.saltproject.io/en/master/topics/releases/2019.2.0.html#non-backward-compatible-change-to-yaml-renderer
NOTE: 20230720: They are also some minor change here:
NOTE: 20230720: https://docs.saltproject.io/en/master/topics/releases/3002.html#execution-module-changes
NOTE: 20230720: Last but not least salt is not present in stable/testing (rouca)
NOTE: 20230928: Backported 3002.9 first non affected by crypto flaw version
NOTE: 20230928: will need python3-saltfactories >= 0.907 (that need python3-setuptools (>= 50.3.2), python3-setuptools-scm (>= 3.4) to be investigated)
NOTE: 20230928: will need python3-attr (>= 19.1) may from buster-backport ? or vendored ?
NOTE: 20230928: see https://lists.debian.org/debian-lts/2023/09/msg00033.html
--
samba
NOTE: 20230918: Added by Front-Desk (apo)
--
suricata (Adrian Bunk)
NOTE: 20230620: Added by Front-Desk (Beuc)
NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie,
NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored),
NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk)
NOTE: 20230714: Still reviewing+testing CVEs. (bunk)
NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
NOTE: 20231016: Still reviewing+testing CVEs. (bunk)
--
thunderbird (Emilio)
NOTE: 20231025: Added by pochu
--
trafficserver (Adrian Bunk)
NOTE: 20231011: Added by Front-Desk (ta)
--
zabbix
NOTE: 20231015: Added by Front-Desk (ta)
--
|
