1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
c-ares (gladk)
NOTE: 20230523: Programming language: C.
NOTE: 20230523: VCS: https://salsa.debian.org/lts-team/packages/c-ares.git
--
cairosvg
NOTE: 20230323: Programming language: Python.
NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert)
NOTE: 20230519: VCS: https://salsa.debian.org/lts-team/packages/cairosvg.git
--
cinder
NOTE: 20230525: Programming language: Python.
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
docker-registry
NOTE: 20230525: Programming language: Go.
--
docker.io
NOTE: 20230303: Programming language: Go.
NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)
NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git
NOTE: 20230424: Is in preparation. (gladk)
--
erlang (Markus Koschany)
NOTE: 20221119: Programming language: Erlang.
NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch)
NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang
NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. Mail send to mailing list.
--
fusiondirectory (Abhijith PA)
NOTE: 20221203: Programming language: PHP.
NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk).
NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).
NOTE: 20221203: Also the package was removed from sid recently (gladk).
NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not too serious (gladk).
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git
NOTE: 20230523: Added upstream commit references to security tracker. Patched our version, testing (abhijith)
--
golang-go.crypto (Markus Koschany)
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
NOTE: 20220915: Special attention: limited support, cf. buster release notes
NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1
NOTE: 20220915: Special attention: also check bullseye status
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-go.crypto.git
--
golang-yaml.v2 (sgmoore)
NOTE: 20230125: Programming language: Go.
NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git
NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't).
NOTE: 20230525: In review with utkarsh.
--
hdf5
NOTE: 20230318: Programming language: C/C++.
NOTE: 20230318: VCS: https://salsa.debian.org/lts-team/packages/hdf5.git
NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh)
NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably
NOTE: 20230318: sync w/ him. (utkarsh)
NOTE: 20230506: tried to triage… seems to be that only sensible way forward would be to update to a newer version in the 1.10.x
NOTE: 20230506: line. Still then, state of CVEs are unknown if they have been fixed. 1.10.11 is scheduled for September. (tobi)
NOTE: 20230520: Tried to backport 1.10.6 to buster, however, it seems that there is a (hidden) SONAME bump,
NOTE: 20230520: https://salsa.debian.org/debian/hdf5/-/commit/52b5fe589e68361ea840121d8f4a8eb9148bf3da
NOTE: 20230520: additionally couldn't convince the build system to build for buster, something with the autogenerated .install files,
NOTE: 20230520: so giving up on the package. (tobi)
--
kamailio (Chris Lamb)
NOTE: 20230524: Programming language: C.
--
libcap2 (Abhijith PA)
NOTE: 20230517: Programming language: C.
NOTE: 20230517: VCS: https://salsa.debian.org/lts-team/packages/libcap2.git
--
libfastjson (Thorsten Alteholz)
NOTE: 20230507: Programming language: C.
NOTE: 20230507: the CVE was fixed in json-c already
NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing
--
libraw (guilhem)
NOTE: 20230520: Programming language: C++.
NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libraw.git
--
libssh (tobi)
NOTE: 20230520: Programming language: C.
NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libssh.git
--
linux (Ben Hutchings)
NOTE: 20230111: Programming language: C
--
nbconvert
NOTE: 20230423: Programming language: Python.
NOTE: 20230423: XSS may be worth fixing and this was a lot of them. To consider if this require
NOTE: 20230423: more work on user side and that require further analysis. (ola)
--
nova
NOTE: 20230302: Programming language: Python.
NOTE: 20230302: VCS: https://salsa.debian.org/openstack-team/services/nova
NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/OpenStack.html
NOTE: 20230302: Maintainer notes: Contact original maintainer: zigo.
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default).
NOTE: 20230302: Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo)
NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected.
NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely.
NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
nvidia-cuda-toolkit
NOTE: 20230514: Programming language: binary blobs.
NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
NOTE: 20230514: piled up. (utkarsh)
--
openimageio (gladk)
NOTE: 20230406: Programming language: C.
NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git
NOTE: 20230508: WIP
--
openjdk-11 (Emilio)
NOTE: 20230419: Programming language: Java.
NOTE: 20230419: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git
NOTE: 20230522: waiting for sid/bullseye update (pochu)
--
owslib (Adrian Bunk)
NOTE: 20230514: Programming language: Python.
NOTE: 20230514: VCS: https://salsa.debian.org/lts-team/packages/owslib.git
NOTE: 20230514: also in dsa-needed. (utkarsh)
--
php-cas
NOTE: 20221105: Programming language: PHP.
NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola)
NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports),
NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk)
NOTE: 20221110: a DSA is planned (Beuc/front-desk)
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/php-cas.git
--
python-glance-store
NOTE: 20230525: Programming language: Python.
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python-os-brick
NOTE: 20230525: Programming language: Python.
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python-oslo.privsep
NOTE: 20221231: Programming language: Python.
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git
NOTE: 20230525: CVE-2022-38065 has been marked as Won't-fix/Hardening opportunity.
NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue.
--
python3.7
NOTE: 20230220: Programming language: C, Python.
NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git
NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html
NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk)
--
rails
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
NOTE: 20221024: to break thrice in less than 2 month.
NOTE: 20221209: Programming language: Ruby.
NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/rails.html
NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/rails.git
--
rainloop
NOTE: 20220913: Programming language: PHP, JavaScript.
NOTE: 20220913: Special attention: orphaned as of 2022-09.
NOTE: 20220913: Upstream appeared dead but there was activity 2 weeks ago,
NOTE: 20220913: a "SnappyMail" fork exists and may have patches we can use,
NOTE: 20220913: also there's an unofficial one for CVE-2022-29360;
NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk)
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/rainloop.git
--
ring (Thorsten Alteholz)
NOTE: 20221120: Programming language: C++.
NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git
NOTE: 20230507: testing package
NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing
--
ruby-loofah
NOTE: 20221231: Programming language: Ruby.
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-loofah.git
NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)
NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby)
NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert)
--
ruby-rails-html-sanitizer
NOTE: 20221231: Programming language: Ruby.
NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git
NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh)
--
salt
NOTE: 20220814: Programming language: Python.
NOTE: 20220814: I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer verion. (Anton)
NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/salt.html
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/salt.git
--
samba
NOTE: 20220904: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git
NOTE: 20220904: Special attention: High popcon! Used in many servers.
NOTE: 20220904: Many postponed or open CVE in general. (apo)
NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee)
--
sssd
NOTE: 20230131: Programming language: C.
NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
NOTE: 20230508: WIP (gladk)
--
sysstat (Sylvain Beucler)
NOTE: 20230524: Programming language: C.
--
webkit2gtk (Emilio)
Programming language: C++.
VCS: https://salsa.debian.org/webkit-team/webkit.git
NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu)
--
|