1 files changed, 62 insertions, 184 deletions
diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index 3b4371b40b..3718f8e769 100644
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -9,213 +9,91 @@ To pick an issue, simply add your name behind it. To learn more about how
 this list is updated have a look at
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
+To make it easier to see the entire history of an update, please append notes
+rather than remove/replace existing ones.
+
 --
 ansible
-  NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
-  NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
-  NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
-  NOTE: 20200506: (lamby)
-  NOTE: 20200508: bam: Problem exists with new files only. Existing files
-  NOTE: 20200508: bam: code resets permissions to same value, should be fine.
-  NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
-  NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
-  NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
---
-ark (Abhijith PA)
-  NOTE: 20200731: given PoC not working as intended. (abhijith)
-  NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith)
-  NOTE: 20200820: pinged upstream for help (abhijith)
-  NOTE: 20200907: patch https://people.debian.org/~abhijith/upload/backport_to_1608.patch crashes (abhijith)
---
-cacti
-  NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith)
-  NOTE: 20200620: WIP (abhijith)
-  NOTE: 20200629: Working on the patch (abhijith)
-  NOTE: 20200701: Patch for CVE-2020-7237 should also be included for Stretch LTS. (utkarsh)
-  NOTE: 20200726: partial fix https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch (abhijith)
---
-ceph (Ola Lundqvist)
-  NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
-  NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
-  NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
---
-cimg (Thorsten Alteholz)
-  NOTE: 20200709: Upstream patch is against a newer "load_network_external"
-  NOTE: 20200709: method (vs "load_network") but is still missing the argument
-  NOTE: 20200709: sanitisation. (lamby)
---
-condor
-  NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
-  NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
-  NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
-  NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
-  NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
-  NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
-  NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
---
-curl (Thorsten Alteholz)
-  NOTE: 20200907: testing package (thorsten)
+  NOTE: 20210411: As discussed with the maintainer I will update Buster first and
+  NOTE: 20210411: after that LTS. (apo)
+  NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
 --
-eclipse-wtp
+asterisk (Abhijith PA)
 --
-f2fs-tools
-  NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to
-  NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver)
+debian-archive-keyring (Anton)
+  NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
+  NOTE: 20210920: Raphael answered. will backport today. (utkarsh)
+  NOTE: 20211003: waiting for Jonathan to get back as his keys
+  NOTE: 20211003: seemed to have expired and the build is thus
+  NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh)
+  NOTE: 20211018: Jonathan is prepping the branch; will work
+  NOTE: 20211018: with him and upload and publish the DLA. (utkarsh)
 --
-firefox-esr (Emilio)
-  NOTE: 20200720: working on ESR 78 backport. (pochu)
-  NOTE: 20200913: backported rustc, cargo and rust-cbindgen, uploads will follow after the buster ones (pochu)
+expat (Emilio)
+  NOTE: 20220221: please wait for DSA first. (Anton)
 --
-fossil
-  NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially applies, but does not apply around a
-  NOTE: 20200903: database query in src/add.c. In fact, the patch fixing this CVE is quite invasive. Maybe decide
-  NOTE: 20200903: not to fix it?
+firmware-nonfree
+  NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
+  NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
+  NOTE: 20211207: Intend to release this week.
 --
-freerdp
+freecad (Emilio)
+  NOTE: 20220221: please wait for DSA first. (Anton)
 --
-gnutls28 (Roberto C. Sánchez)
+gif2apng (Anton)
+  NOTE: 20220114: orphaned package with inactive upstream, maybe coordinate with Debian QA to write our own patches (Beuc)
+  NOTE: 20220114: CVEs unrelated to apng2gif's (Beuc)
+  NOTE: 20220221: WIP (Anton)
 --
-golang-1.7
+gpac (Roberto C. Sánchez)
+  NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto)
+  NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)
+  NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto)
 --
-golang-1.8
+htmldoc (Thorsten Alteholz)
 --
-golang-go.crypto
+intel-microcode
+  NOTE: 20220213: please recheck
 --
-golang-golang-x-net-dev
+libarchive (Thorsten Alteholz)
+  NOTE: 20220213: testing package
 --
-guacamole-client (Mike Gabriel)
---
-jupyter-notebook
-  NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby)
---
-kleopatra
---
-lemonldap-ng
-  NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby)
---
-libdbi-perl (Sylvain Beucler)
-  NOTE: 20200917: waiting for upstream response to incomplete fix CVE-2014-10401->CVE-2014-10402
+libgit2 (Utkarsh)
+  NOTE: 20220208: got clearance. will upload this week. (utkarsh)
+  NOTE: 20220221: had been severely ill the past week. shall get it done soon. (utkarsh)
 --
 linux (Ben Hutchings)
 --
-linux-4.9 (Ben Hutchings)
---
-lua5.3
---
-mumble
-  NOTE: 20200325: Regression in last upload, forgot to follow up.
-  NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
-  NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
-  NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
-  NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith)
---
-nss (Adrian Bunk)
-  NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc)
-  NOTE: 20200914: new CVE for racoon (bunk)
---
-open-build-service (Utkarsh Gupta)
-  NOTE: 20200909: in touch with upstream. (utkarsh)
---
-opendmarc
-  NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
---
-openssl
---
-openssl1.0
---
-osc (Adrian Bunk)
---
-php-horde-trean (Mike Gabriel)
-  NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver)
-  NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver)
---
-puma
-  NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby)
---
-qt4-x11 (Adrian Bunk)
-  NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio.
-  NOTE: 20200815: One could possibly look at the other <no-dsa> issues and decide whether they are worth fixing along. (sunweaver)
-  NOTE: 20200906: packages are being tested (bunk)
---
-qtbase-opensource-src (Adrian Bunk)
-  NOTE: 20200815: Minor issue, but easy to fix (CVE-2020-17507). Low prio.
-  NOTE: 20200815: One could possibly look at the other <no-dsa> issues and decide whether they are worth fixing along. (sunweaver)
-  NOTE: 20200906: packages are being tested (bunk)
---
-rails
---
-reel
-  NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh)
---
-ruby-actionpack-page-caching
-  NOTE: 20200819: Upstream's patch on does not apply due to subsequent
-  NOTE: 20200819: refactoring. However, a quick look at the private
-  NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
-  NOTE: 20200819: uses the path without normalising any "../" etc., simply
-  NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
---
-ruby-doorkeeper
-  NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh)
-  NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh)
-  NOTE: 20200831: more investigation needed. (utkarsh)
+linux-4.19 (Ben Hutchings)
 --
-ruby-json-jwt (Utkarsh)
-  NOTE: 20200914: testing against the new reproducer. (utkarsh)
+mariadb-10.1
+  NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton)
 --
-ruby-kaminari (Utkarsh)
-  NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
-  NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
-  NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
-  NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
-  NOTE: 20200819: file has been refactored a few times). (lamby)
-  NOTE: 20200914: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
-  NOTE: 20200914: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
+nvidia-graphics-drivers
+   NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc)
+   NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential
+   NOTE: 20220209: backport (apo)
 --
-ruby-rack-cors (Utkarsh)
- NOTE: 20200817: Was fixed in DLA-2096-1 for jessie LTS but is now re-vulnerable again in stretch LTS AFAICT. (lamby)
- NOTE: 20200914: problems in reproducing. will investigate in sometime. (utkarsh)
+pjproject (Abhijith PA)
+  NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu)
+  NOTE: 20220215: Asterisk and ring have embedded copy of pjproject (abhijith)
 --
-samba (Mike Gabriel)
-  NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh)
-  NOTE: 20200801: Stretch update already released, so no conflict. (roberto)
-  NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, and CVE-2020-10740, are ready. (roberto)
-  NOTE: 20200801: Best to wait for additional CVEs before uploading; check with Roberto for patches. (roberto)
-  NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola).
-  NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver)
+ring (Abhijith PA)
 --
-shiro (Roberto C. Sánchez)
+samba
+  NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
+  NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton)
+  NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
+  NOTE: 20220125: ftbfs, wip. (utkarsh)
 --
-slirp
-  NOTE: Upstream patch for CVE-2020-8608 requires patches for
-  NOTE: CVE-2020-7039 to be applied patched first, as they both patch
-  NOTE: the same lines of code in tcp_subr.c (bam).
+thunderbird (Emilio)
 --
-snmptt (Abhijith PA)
+tiff (Thorsten Alteholz)
 --
-squid3
+ujson (Anton)
+  NOTE: 20220121: please reheck, at least the mentioned function is available in Stretch
+  NOTE: 20220206: https://salsa.debian.org/lts-team/packages/ujson Investigating, whether affected or not (Anton)
+  NOTE: 20220221: WIP (Anton)
 --
-sympa
-  NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh)
-  NOTE: 20200525: But that is weird, given their announcement. (utkarsh)
-  NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh)
-  NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to
-  NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh)
-  NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh)
-  NOTE: 20200604: the upload is ready but has been put on hold for a while. (utkarsh)
-  NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
-  NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh)
---
-tinymce (Abhijith PA)
---
-xcftools
-  NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
-  NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
-  NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
-  NOTE: 20200517: work is ongoing. (gladk)
-  NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
-  NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
---
-yaws (Thorsten Alteholz)
---
-zeromq3 (Adrian Bunk)
+vim
 --