1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
|
An LTS security update is needed for the following source packages.
To add a new entry, please coordinate with this week's Front-Desk
person, and use the 'package-operations' LTS tool.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
When checking what packages to work on, use:
$ ./find-work
from the LTS admin repository, to sort packages by priority and
display important notes about the package (special attention, VCS,
testing procedures, programming language, etc.).
To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
bind9 (Chris Lamb)
NOTE: 20230623: Added by Front-Desk (Beuc)
NOTE: 20230623: Upcoming DSA prepared by maintainer (Beuc/front-desk)
--
cairosvg
NOTE: 20230323: Added by Front-Desk (gladk)
NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert)
--
cinder
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
debian-archive-keyring (jspricke)
NOTE: 20230619: Added by Front-Desk (Beuc)
NOTE: 20230619: Add bookworm keys as in #1033157; see DLA-2948-1 for a similar update
NOTE: 20230619: See also https://lists.debian.org/debian-lts/2021/08/msg00037.html for context (Beuc/front-desk)
--
docker.io (rouca)
NOTE: 20230303: Added by Front-Desk (Beuc)
NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
NOTE: 20230424: Is in preparation. (gladk)
--
dogecoin
NOTE: 20230619: Added by Front-Desk (Beuc)
NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream,
NOTE: 20230619: I suggest pinging/coordinating with upstream to know the current status;
NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
--
erlang
NOTE: 20221119: Added by Front-Desk (ta)
NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch)
--
flatpak
NOTE: 20230620: Added by Front-Desk (Beuc)
NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
--
fusiondirectory (Abhijith PA)
NOTE: 20221203: Added by Front-Desk (gladk)
NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk).
NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).
NOTE: 20221203: Also the package was removed from sid recently (gladk).
NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not too serious (gladk).
NOTE: 20230523: Added upstream commit references to security tracker. Patched our version, testing (abhijith)
NOTE: 20230627: Coordinate with upload of php-cas as php-cas will break fusiondirectory. (tobi)
NOTE: 20230627: See: https://lists.debian.org/debian-lts/2023/06/msg00058.html
--
glib2.0 (santiago)
NOTE: 20230612: Added by Front-Desk (apo)
--
golang-yaml.v2 (sgmoore)
NOTE: 20230125: Added by Front-Desk (gladk)
NOTE: 20230525: In review with utkarsh.
--
grpc
NOTE: 20230614: Added by Front-Desk (opal)
NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca)
--
gst-plugins-bad1.0 (Thorsten Alteholz)
NOTE: 20230702: Added by Front-Desk (ta)
--
gst-plugins-base1.0 (Thorsten Alteholz)
NOTE: 20230702: Added by Front-Desk (ta)
--
gst-plugins-good1.0 (Thorsten Alteholz)
NOTE: 20230702: Added by Front-Desk (ta)
--
hdf5
NOTE: 20230318: Added by Front-Desk (utkarsh)
NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh)
NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably
NOTE: 20230318: sync w/ him. (utkarsh)
NOTE: 20230506: tried to triage… seems to be that only sensible way forward would be to update to a newer version in the 1.10.x
NOTE: 20230506: line. Still then, state of CVEs are unknown if they have been fixed. 1.10.11 is scheduled for September. (tobi)
NOTE: 20230520: Tried to backport 1.10.6 to buster, however, it seems that there is a (hidden) SONAME bump,
NOTE: 20230520: https://salsa.debian.org/debian/hdf5/-/commit/52b5fe589e68361ea840121d8f4a8eb9148bf3da
NOTE: 20230520: additionally couldn't convince the build system to build for buster, something with the autogenerated .install files,
NOTE: 20230520: so giving up on the package. (tobi)
--
imagemagick (rouca)
NOTE: 20230622: Added by Front-Desk (Beuc)
NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk)
--
lemonldap-ng (guilhem)
NOTE: 20230620: Added by Front-Desk (Beuc)
NOTE: 20230620: Follow 2 fixes from bullseye 11.7 (CVE-2023-28862 + unreferenced URL validation bypass) (Beuc/front-desk)
--
libapache2-mod-auth-openidc (gladk)
NOTE: 20230620: Added by Front-Desk (Beuc)
NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk)
--
libreoffice (Abhijith PA)
NOTE: 20230530: Added by Front-Desk (pochu)
--
libusrsctp (rouca)
NOTE: 20230612: Added by Front-Desk (opal)
NOTE: 20230618: May need a backport see https://lists.debian.org/debian-lts/2023/06/msg00050.html (rouca)
NOTE: 20230618: Waiting for comments
--
linux (Ben Hutchings)
NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
--
mediawiki
NOTE: 20230701: Added by Front-Desk (ta)
--
nova
NOTE: 20230302: Re-add, request by maintainer (Beuc)
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default).
NOTE: 20230302: Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo)
NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected.
NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely.
NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby)
--
nvidia-cuda-toolkit
NOTE: 20230514: Added by Front-Desk (utkarsh)
NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
NOTE: 20230514: piled up. (utkarsh)
NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
--
openimageio (gladk)
NOTE: 20230406: Re-added due to regressions (apo)
NOTE: 20230612: Backporting is mostly done, but still some failures.
--
openjdk-11 (Emilio)
NOTE: 20230419: Added by Front-Desk (ola)
NOTE: 20230522: waiting for sid update (pochu)
NOTE: 20230612: sid updated, preparing backport (pochu)
NOTE: 20230627: waiting for DSA (pochu)
--
php-cas (tobi)
NOTE: 20221105: Added by Front-Desk (ola)
NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola)
NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports),
NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk)
NOTE: 20221110: a DSA is planned (Beuc/front-desk)
NOTE: 20230627: WIP See: https://lists.debian.org/debian-lts/2023/06/msg00058.html (tobi)
--
php-dompdf
NOTE: 20230618: Added by Front-Desk (opal)
NOTE: 20230618: Low priority but higher than to not fix it.
--
python-glance-store (jspricke)
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python-os-brick
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python-oslo.privsep
NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230525: CVE-2022-38065 has been marked as Won't-fix/Hardening opportunity.
NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue. (sgmoore)
--
qt4-x11 (sgmoore)
NOTE: 20230612: Added by Front-Desk (apo)
NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11
--
rails
NOTE: 20220909: Re-added due to regression (abhijith)
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
NOTE: 20221024: to break thrice in less than 2 month.
NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
--
renderdoc
NOTE: 20230620: Added by Front-Desk (Beuc)
NOTE: 20230620: See discussion at https://lists.debian.org/debian-lts/2023/06/msg00049.html
NOTE: 20230620: Summary: try to backport fixes; otherwise, since this is a end-user app with no rdeps,
NOTE: 20230620: coordinate with maintainer§eam to try and bump to 1.27 across all dists (Beuc/front-desk)
--
ring (Thorsten Alteholz)
NOTE: 20221120: Added by Front-Desk (ta)
NOTE: 20230507: testing package
NOTE: 20230701: testing package, not all tests pass yet
--
ruby-doorkeeper (Chris Lamb)
NOTE: 20230618: Added by Front-Desk (opal)
NOTE: 20230629: Working on trying to enable the testsuite. (lamby)
--
ruby-loofah
NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)
NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby)
NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert)
--
ruby-rails-html-sanitizer
NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh)
--
ruby-redcloth
NOTE: 20230612: Added by Front-Desk (apo)
--
sabnzbdplus
NOTE: 20230618: Added by Front-Desk (opal)
--
salt
NOTE: 20220814: Added by Front-Desk (gladk)
NOTE: 20220814: I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer verion. (Anton)
--
samba (Lee Garrett)
NOTE: 20220904: Added by Front-Desk (apo)
NOTE: 20220904: Many postponed or open CVE in general. (apo)
NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee)
--
suricata (Adrian Bunk)
NOTE: 20230620: Added by Front-Desk (Beuc)
NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie,
NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored),
NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk)
--
symfony (guilhem)
NOTE: 20230620: Added by Front-Desk (Beuc)
NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) + 1 other postponed CVE (Beuc/front-desk)
--
syncthing (Abhijith PA)
NOTE: 20230616: Added by Front-Desk (opal)
--
webkit2gtk (Emilio)
NOTE: 20230512: Re-added (pochu)
NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu)
NOTE: 20230529: made some progress on the backport, but there are still some blockers,
NOTE: 20230529: particularly around (the lack of) C++20 support. (pochu)
NOTE: 20230606: one issue remaining (cmake), but call for testing sent out already:
NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg00005.html (pochu)
NOTE: 20230627: will likely hold the update and mark as not-supported due to feedback (pochu)
--
|
