summaryrefslogtreecommitdiffstats
path: root/data/dla-needed.txt
diff options
context:
space:
mode:
Diffstat (limited to 'data/dla-needed.txt')
-rw-r--r--data/dla-needed.txt459
1 files changed, 284 insertions, 175 deletions
diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index bad592a994..d0cd5bd2d6 100644
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -1,11 +1,19 @@
An LTS security update is needed for the following source packages.
-When you add a new entry, please keep the list alphabetically sorted.
+
+To add a new entry, please coordinate with this week's Front-Desk
+person, and use the 'package-operations' LTS tool.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
-To pick an issue, simply add your name behind it. To learn more about how
+When checking what packages to work on, use:
+$ ./find-work
+from the LTS admin repository, to sort packages by priority and
+display important notes about the package (special attention, VCS,
+testing procedures, programming language, etc.).
+
+To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
@@ -13,179 +21,280 @@ To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
-ansible (Markus Koschany)
- NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
- NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
- NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
- NOTE: 20200506: (lamby)
- NOTE: 20200508: bam: Problem exists with new files only. Existing files
- NOTE: 20200508: bam: code resets permissions to same value, should be fine.
- NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
- NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
- NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
- NOTE: 20201130: apo: I believe a partial update makes sense at the moment.
- NOTE: 20201130: Not everything is clear and obvious thus fixing some CVE is
- NOTE: 20201130: better than continue to ignore all of them.
---
-ceph
- NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
- NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
- NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
- NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
- NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
---
-condor
- NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
- NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
- NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
- NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
- NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
- NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
- NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
---
-f2fs-tools
- NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to
- NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver)
---
-firmware-nonfree (Emilio)
---
-golang-github-dgrijalva-jwt-go (Brian May)
---
-golang-golang-x-net-dev
---
-influxdb
---
-intel-microcode
- NOTE: 20201117: hold off the update until it's settled in unstable, at least.
- NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! (utkarsh)
- NOTE: 20201122: the patch is ready but after discussing with the security team, hold on
- NOTE: 20201122: this update for 2 weeks to first let it land in buster. (utkarsh)
- NOTE: 20201122: Utkarsh will upload once its confirmed that there is no regression
- NOTE: 20201122: and is actively tracking it. (utkarsh)
---
-lemonldap-ng (Utkarsh)
- NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby)
- NOTE: 20201122: still waiting to hear from upstream. (utkarsh)
---
-libhibernate3-java
- NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby)
---
-libsixel
+ansible
+ NOTE: 20231202: Added by Front-Desk (Beuc)
+ NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021
+ NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to
+ NOTE: 20231202: assess/fix the situation.
+ NOTE: 20231217: Begin to triage CVEs (rouca)
+ NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca)
+ NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
+--
+atril (utkarsh)
+ NOTE: 20240121: Added by Front-Desk (apo)
+ NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead.
+ NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/
+ NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh)
+--
+bind9 (Sean Whitton)
+ NOTE: 20240218: Added by Front-Desk (lamby)
+ NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby)
+--
+dnsmasq (Chris Lamb)
+ NOTE: 20240303: Added by Front-Desk (apo)
+--
+docker.io
+ NOTE: 20230303: Added by Front-Desk (Beuc)
+ NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
+ NOTE: 20230424: Is in preparation. (gladk)
+ NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html
+ NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version)
+ NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case
+ NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk)
+ NOTE: 20230311: Reverted decision to remove from this file since three CVEs are in bullseye. (ola)
+--
+dogecoin
+ NOTE: 20230619: Added by Front-Desk (Beuc)
+ NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream,
+ NOTE: 20230619: I suggest pinging/coordinating with upstream to know the current status;
+ NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
+ NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
+--
+edk2
+ NOTE: 20231230: Added by Front-Desk (lamby)
+ NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby)
+ NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk)
+--
+expat (tobi)
+ NOTE: 20240306: Added by Front-Desk (opal)
+ NOTE: 20230324: slowly making progress, seems that I've just defeated CVE-2023-52425 :) (tobi)
+--
+freeimage
+ NOTE: 20240320: Added by Front-Desk (ta)
+ NOTE: 20240320: lots of postponed issue could be fixed as well
+ NOTE: 20240325: Lack of upstream activity,
+ NOTE: 20240325: postponed issues are "Revisit when fixed upstream (bunk)
+--
+frr
+ NOTE: 20231119: Added by Front-Desk (apo)
+ NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
+ NOTE: 20240301: continue work (abhijith)
+--
+gnutls28 (guilhem)
+ NOTE: 20240323: Added by Front-Desk (ta)
+--
+gtkwave (Adrian Bunk)
+ NOTE: 20240116: Added by Front-Desk (lamby)
+ NOTE: 20240116: For CVE-2023-32650 etc. (lamby)
+ NOTE: 20240316: https://bugs.debian.org/1060407 (bunk)
+--
+h2o (Adrian Bunk)
+ NOTE: 20231228: Added by Front-Desk (lamby)
+--
+i2p
+ NOTE: 20230809: Added by Front-Desk (Beuc)
+ NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28
+--
+jenkins-htmlunit-core-js
+ NOTE: 20231231: Added by Front-Desk (lamby)
+ NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance
+ NOTE: 20231231: … suggests that the embedded copy of htmlunit is very old and may
+ NOTE: 20231231: … not even support XLST processing. However, it does use the
+ NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may
+ NOTE: 20231231: … indeed be vulnerable. (lamby)
+--
+jetty9 (Markus Koschany)
+ NOTE: 20240303: Added by Front-Desk (apo)
+--
+knot-resolver
+ NOTE: 20231029: Added by Front-Desk (gladk)
+ NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk)
+ NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola)
+--
+libdatetime-timezone-perl (Emilio)
+ NOTE: 20240327: Added by pochu
+--
+libpgjava
+ NOTE: 20240308: Added by Front-Desk (opal)
+--
+libreswan
+ NOTE: 20230817: Added by Front-Desk (ta)
+ NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
+ NOTE: 20230909: https://salsa.debian.org/lts-team/packages/libreswan.git on the experimental
+ NOTE: 20230909: branch. Upstream patch for CVE-2023-38710 does not apply at
+ NOTE: 20230909: all due to code refactoring. I intend to package the version
+ NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo)
+--
+libssh
+ NOTE: 20231219: Added by Front-Desk (ta)
+ NOTE: 20240225: Patches backported, tests pass. Backports needs review.
+ NOTE: 20240225: Re CVE-2023-48795: untested that Terrapin is actually
+ NOTE: 20240225: mitigated. Upstream have provided some input on doing that:
+ NOTE: 20240225: <https://archive.libssh.org/libssh/2024-01/0000000.html>
+ NOTE: 20240225: (spwhitton).
+ NOTE: 20240227: Re CVE-2023-6918: commit 3eb99562 is simply to fix
+ NOTE: 20240227: the build. It is currently unknown whether it is safe.
+ NOTE: 20240227: Upstream have provided some feedback on the issue:
+ NOTE: 20240227: <https://archive.libssh.org/libssh/2024-02/0000009.html>
+ NOTE: 20240227: (spwhitton).
+--
+libstb
+ NOTE: 20231029: Added by Front-Desk (gladk)
+ NOTE: 20231029: A lot of open CVEs. Maybe duplicates.
+ NOTE: 20231029: If you take a package, please evaluate it as well as its importance.
+ NOTE: 20231119: None of the new CVE fixes has been reviewed by upstream so far,
+ NOTE: 20231119: and in the past CVE fixes have caused regressions.
+ NOTE: 20231119: Wait for upstream merge of fixes (and fixing in unstable). (bunk)
+ NOTE: 20230314: Reverted decision to remove from this file since
+ NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in bullseye
+ NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated. (roberto)
+--
+libvirt (guilhem)
+ NOTE: 20240316: Added by Front-Desk (Beuc)
+ NOTE: 20240316: A few years of minor vulnerabilities piled up;
+ NOTE: 20240316: coordinate with stable/oldstable to fix them uniformly (Beuc/front-desk)
--
linux (Ben Hutchings)
---
-linux-4.19 (Ben Hutchings)
---
-mariadb-10.1 (Adrian Bunk)
---
-mumble
- NOTE: 20200325: Regression in last upload, forgot to follow up.
- NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
- NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
- NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
- NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith)
---
-open-build-service
- NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them.
- NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh)
- NOTE: 20201122: regression noticed; let the fix be exposed in sid for a week or two. (utkarsh)
---
-opendmarc
- NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
---
-openldap (Utkarsh)
- NOTE: 20201111: re-add openldap. two new slapd issues, CVEs are yet to be assigned. (utkarsh)
- NOTE: 20201130: couldn't complete the update, will process the upload after getting an ack from maintainer (if needed). (utkarsh)
---
-pacemaker (Markus Koschany)
- NOTE: 20201117: See #974563 for further information.
- NOTE: 20201130: I will ask the other bug reporters for feedback and testing
- NOTE: 20201130: in #974563. The update itself looks good to me.
---
-php-horde-trean
- NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver)
- NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver)
---
-pluxml
- NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith)
---
-reel
- NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh)
---
-ruby-actionpack-page-caching
- NOTE: 20200819: Upstream's patch on does not apply due to subsequent
- NOTE: 20200819: refactoring. However, a quick look at the private
- NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
- NOTE: 20200819: uses the path without normalising any "../" etc., simply
- NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
---
-ruby-doorkeeper
- NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh)
- NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh)
- NOTE: 20200831: more investigation needed. (utkarsh)
- NOTE: 20201009: on another note, it needs more investigation if this version is affected in
- NOTE: 20201009: the first place or not. (utkarsh)
---
-ruby-kaminari
- NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
- NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
- NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
- NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
- NOTE: 20200819: file has been refactored a few times). (lamby)
- NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
- NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
- NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
- NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
---
-ruby-oauth
---
-salt (Abhijith PA)
---
-shiro
- NOTE: 20200920: WIP
- NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
- NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
---
-slirp (Thorsten Alteholz)
- NOTE: Upstream patch for CVE-2020-8608 requires patches for
- NOTE: CVE-2020-7039 to be applied patched first, as they both patch
- NOTE: the same lines of code in tcp_subr.c (bam).
---
-snapd (Brian May)
- NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto.
- NOTE: Problems with upload.
---
-spice-vdagent (Abhijith PA)
- NOTE: code base seems largely changed. Pinged upstream for help (abhijith)
---
-spip
- NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith)
---
-webcit (Markus Koschany)
- NOTE: 20201130: Requested more information from upstream. Currently patches
- NOTE: or workarounds are not available.
---
-wireshark
- NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include
- NOTE: 20201007: those fixes as well! \o/ (utkarsh)
- NOTE: 20201108: 2.6.8-1.1 backported as first step
- NOTE: 20201108: will try to update wireshark in the next
- NOTE: 20201108: buster point release followed by another backport (bunk)
- NOTE: 20201123: NMU for unstable prepared as first step (bunk)
- NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk)
---
-x11vnc (Thorsten Alteholz)
---
-xcftools
- NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
- NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
- NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
- NOTE: 20200517: work is ongoing. (gladk)
- NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
- NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
---
-xdg-utils (Emilio)
- NOTE: 20201122: wait for a while to get the fix exposed in other suites. (utkarsh)
---
-xorg-server (Emilio)
+ NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
+--
+linux-5.10
+ NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
+--
+lucene-solr
+ NOTE: 20240213: Added by Front-Desk (lamby)
+--
+nova
+ NOTE: 20230302: Re-add, request by maintainer (Beuc)
+ NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
+ NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
+ NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
+ NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default).
+ NOTE: 20230302: Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo)
+ NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected.
+ NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely.
+ NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
+ NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby)
+--
+nss
+ NOTE: 20240121: Added by Front-Desk (apo)
+ NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there.
+ NOTE: 20230310: see also: Message-ID: <Zd5GYmuVVIDU54Vv@isildor2.loewenhoehle.ip> (tobi)
+--
+nvidia-cuda-toolkit
+ NOTE: 20230514: Added by Front-Desk (utkarsh)
+ NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
+ NOTE: 20230514: piled up. (utkarsh)
+ NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
+ NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
+ NOTE: 20240311: CVE-2020-5991 is fixed in bullseye. However email sent to suggest removal of support. (ola)
+--
+nvidia-graphics-drivers
+ NOTE: 20240303: Added by Front-Desk (apo)
+ NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release?
+ NOTE: 20240303: Maybe it's time to mark them EOL? (apo/front-desk)
+--
+nvidia-graphics-drivers-legacy-390xx
+ NOTE: 20240303: Added by Front-Desk (apo)
+ NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk)
+--
+pdns-recursor (dleidert)
+ NOTE: 20240306: Added by Front-Desk (opal)
+ NOTE: 20240319: Upload postponed due to #1067124 (dleidert)
+--
+putty (rouca)
+ NOTE: 20231224: Added by Front-Desk (ta)
+ NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca)
+ NOTE: 20230324: Backport is straighforward (rouca)
+ NOTE: 20230324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104
+--
+python-asyncssh
+ NOTE: 20240116: Added by Front-Desk (lamby)
+ NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert)
+--
+rails
+ NOTE: 20220909: Re-added due to regression (abhijith)
+ NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
+ NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
+ NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
+ NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
+ NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
+ NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
+ NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
+ NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
+ NOTE: 20221024: to break thrice in less than 2 month.
+ NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
+ NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
+--
+ring
+ NOTE: 20230903: Added by Front-Desk (gladk)
+ NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
+--
+ruby-rack (Adrian Bunk)
+ NOTE: 20240306: Added by Front-Desk (opal)
+--
+runc
+ NOTE: 20240312: Added by coordinator (roberto)
+ NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye.
+ NOTE: 20240314: Uploads to ospu should be coordinated. (roberto)
+--
+samba (Santiago)
+ NOTE: 20230918: Added by Front-Desk (apo)
+--
+sendmail (rouca)
+ NOTE: 20231224: Added by Front-Desk (ta)
+ NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765)
+ NOTE: 20240217: Patch extracted and being reviewed (rouca)
+ NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk)
+ NOTE: 20240311: Re-added to dla-needed.txt; while secteam tagged it no-dsa in later dists,
+ NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists,
+ NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk)
+ NOTE: 20240324: some issue coordinate with myself and security team (rouca)
+--
+shim
+ NOTE: 20240306: Added by Front-Desk (opal)
+--
+squid
+ NOTE: 20240109: Added by Front-Desk (apo)
+ NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix
+ NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo)
+--
+suricata (Adrian Bunk)
+ NOTE: 20230620: Added by Front-Desk (Beuc)
+ NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie,
+ NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored),
+ NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk)
+ NOTE: 20230714: Still reviewing+testing CVEs. (bunk)
+ NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
+ NOTE: 20231016: Still reviewing+testing CVEs. (bunk)
+ NOTE: 20231120: DLA coming soon. (bunk)
+--
+tiff (Abhijith PA)
+ NOTE: 20240314: Added by coordinator (roberto)
+ NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and
+ NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto)
+--
+tomcat9 (Markus Koschany)
+ NOTE: 20240121: Added by Front-Desk (apo)
+--
+tzdata (Emilio)
+ NOTE: 20240327: Added by pochu
+--
+varnish
+ NOTE: 20231117: Added by Front-Desk (apo)
+ NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004
+ NOTE: 20231219: Continuing work
+ NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith)
+ NOTE: 20240122: Still fixing tests (abhijith)
+ NOTE: 20240213: Fixing tests.(abhijith)
+--
+wordpress
+ NOTE: 20240314: Added by coordinator (roberto)
+ NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and
+ NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto)
+--
+zabbix (utkarsh)
+ NOTE: 20240212: Added by Front-Desk (utkarsh)
+--
+zookeeper (rouca)
+ NOTE: 20240324: Added by Front-Desk (ta)
--

© 2014-2024 Faster IT GmbH | imprint | privacy policy