diff options
Diffstat (limited to 'data/dla-needed.txt')
-rw-r--r-- | data/dla-needed.txt | 459 |
1 files changed, 284 insertions, 175 deletions
diff --git a/data/dla-needed.txt b/data/dla-needed.txt index bad592a994..d0cd5bd2d6 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -1,11 +1,19 @@ An LTS security update is needed for the following source packages. -When you add a new entry, please keep the list alphabetically sorted. + +To add a new entry, please coordinate with this week's Front-Desk +person, and use the 'package-operations' LTS tool. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. -To pick an issue, simply add your name behind it. To learn more about how +When checking what packages to work on, use: +$ ./find-work +from the LTS admin repository, to sort packages by priority and +display important notes about the package (special attention, VCS, +testing procedures, programming language, etc.). + +To work on a package, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues @@ -13,179 +21,280 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -ansible (Markus Koschany) - NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the - NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666 - NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable. - NOTE: 20200506: (lamby) - NOTE: 20200508: bam: Problem exists with new files only. Existing files - NOTE: 20200508: bam: code resets permissions to same value, should be fine. - NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970 - NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 - NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 - NOTE: 20201130: apo: I believe a partial update makes sense at the moment. - NOTE: 20201130: Not everything is clear and obvious thus fixing some CVE is - NOTE: 20201130: better than continue to ignore all of them. --- -ceph - NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) - NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby) - NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola) - NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/ - NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it). --- -condor - NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) - NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) - NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh) - NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) - NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto) - NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) - NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) --- -f2fs-tools - NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to - NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) --- -firmware-nonfree (Emilio) --- -golang-github-dgrijalva-jwt-go (Brian May) --- -golang-golang-x-net-dev --- -influxdb --- -intel-microcode - NOTE: 20201117: hold off the update until it's settled in unstable, at least. - NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! (utkarsh) - NOTE: 20201122: the patch is ready but after discussing with the security team, hold on - NOTE: 20201122: this update for 2 weeks to first let it land in buster. (utkarsh) - NOTE: 20201122: Utkarsh will upload once its confirmed that there is no regression - NOTE: 20201122: and is actively tracking it. (utkarsh) --- -lemonldap-ng (Utkarsh) - NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) - NOTE: 20201122: still waiting to hear from upstream. (utkarsh) --- -libhibernate3-java - NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby) --- -libsixel +ansible + NOTE: 20231202: Added by Front-Desk (Beuc) + NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021 + NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to + NOTE: 20231202: assess/fix the situation. + NOTE: 20231217: Begin to triage CVEs (rouca) + NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) + NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee +-- +atril (utkarsh) + NOTE: 20240121: Added by Front-Desk (apo) + NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. + NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ + NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) +-- +bind9 (Sean Whitton) + NOTE: 20240218: Added by Front-Desk (lamby) + NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) +-- +dnsmasq (Chris Lamb) + NOTE: 20240303: Added by Front-Desk (apo) +-- +docker.io + NOTE: 20230303: Added by Front-Desk (Beuc) + NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) + NOTE: 20230424: Is in preparation. (gladk) + NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html + NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) + NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20230311: Reverted decision to remove from this file since three CVEs are in bullseye. (ola) +-- +dogecoin + NOTE: 20230619: Added by Front-Desk (Beuc) + NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream, + NOTE: 20230619: I suggest pinging/coordinating with upstream to know the current status; + NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; + NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) +-- +edk2 + NOTE: 20231230: Added by Front-Desk (lamby) + NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) + NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) +-- +expat (tobi) + NOTE: 20240306: Added by Front-Desk (opal) + NOTE: 20230324: slowly making progress, seems that I've just defeated CVE-2023-52425 :) (tobi) +-- +freeimage + NOTE: 20240320: Added by Front-Desk (ta) + NOTE: 20240320: lots of postponed issue could be fixed as well + NOTE: 20240325: Lack of upstream activity, + NOTE: 20240325: postponed issues are "Revisit when fixed upstream (bunk) +-- +frr + NOTE: 20231119: Added by Front-Desk (apo) + NOTE: 20240206: Continuing fixing the remaining issues (abhijith) + NOTE: 20240301: continue work (abhijith) +-- +gnutls28 (guilhem) + NOTE: 20240323: Added by Front-Desk (ta) +-- +gtkwave (Adrian Bunk) + NOTE: 20240116: Added by Front-Desk (lamby) + NOTE: 20240116: For CVE-2023-32650 etc. (lamby) + NOTE: 20240316: https://bugs.debian.org/1060407 (bunk) +-- +h2o (Adrian Bunk) + NOTE: 20231228: Added by Front-Desk (lamby) +-- +i2p + NOTE: 20230809: Added by Front-Desk (Beuc) + NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 +-- +jenkins-htmlunit-core-js + NOTE: 20231231: Added by Front-Desk (lamby) + NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance + NOTE: 20231231: … suggests that the embedded copy of htmlunit is very old and may + NOTE: 20231231: … not even support XLST processing. However, it does use the + NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may + NOTE: 20231231: … indeed be vulnerable. (lamby) +-- +jetty9 (Markus Koschany) + NOTE: 20240303: Added by Front-Desk (apo) +-- +knot-resolver + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) +-- +libdatetime-timezone-perl (Emilio) + NOTE: 20240327: Added by pochu +-- +libpgjava + NOTE: 20240308: Added by Front-Desk (opal) +-- +libreswan + NOTE: 20230817: Added by Front-Desk (ta) + NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to + NOTE: 20230909: https://salsa.debian.org/lts-team/packages/libreswan.git on the experimental + NOTE: 20230909: branch. Upstream patch for CVE-2023-38710 does not apply at + NOTE: 20230909: all due to code refactoring. I intend to package the version + NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) +-- +libssh + NOTE: 20231219: Added by Front-Desk (ta) + NOTE: 20240225: Patches backported, tests pass. Backports needs review. + NOTE: 20240225: Re CVE-2023-48795: untested that Terrapin is actually + NOTE: 20240225: mitigated. Upstream have provided some input on doing that: + NOTE: 20240225: <https://archive.libssh.org/libssh/2024-01/0000000.html> + NOTE: 20240225: (spwhitton). + NOTE: 20240227: Re CVE-2023-6918: commit 3eb99562 is simply to fix + NOTE: 20240227: the build. It is currently unknown whether it is safe. + NOTE: 20240227: Upstream have provided some feedback on the issue: + NOTE: 20240227: <https://archive.libssh.org/libssh/2024-02/0000009.html> + NOTE: 20240227: (spwhitton). +-- +libstb + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20231029: A lot of open CVEs. Maybe duplicates. + NOTE: 20231029: If you take a package, please evaluate it as well as its importance. + NOTE: 20231119: None of the new CVE fixes has been reviewed by upstream so far, + NOTE: 20231119: and in the past CVE fixes have caused regressions. + NOTE: 20231119: Wait for upstream merge of fixes (and fixing in unstable). (bunk) + NOTE: 20230314: Reverted decision to remove from this file since + NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in bullseye + NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated. (roberto) +-- +libvirt (guilhem) + NOTE: 20240316: Added by Front-Desk (Beuc) + NOTE: 20240316: A few years of minor vulnerabilities piled up; + NOTE: 20240316: coordinate with stable/oldstable to fix them uniformly (Beuc/front-desk) -- linux (Ben Hutchings) --- -linux-4.19 (Ben Hutchings) --- -mariadb-10.1 (Adrian Bunk) --- -mumble - NOTE: 20200325: Regression in last upload, forgot to follow up. - NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) - NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) - NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith) - NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith) --- -open-build-service - NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them. - NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh) - NOTE: 20201122: regression noticed; let the fix be exposed in sid for a week or two. (utkarsh) --- -opendmarc - NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) --- -openldap (Utkarsh) - NOTE: 20201111: re-add openldap. two new slapd issues, CVEs are yet to be assigned. (utkarsh) - NOTE: 20201130: couldn't complete the update, will process the upload after getting an ack from maintainer (if needed). (utkarsh) --- -pacemaker (Markus Koschany) - NOTE: 20201117: See #974563 for further information. - NOTE: 20201130: I will ask the other bug reporters for feedback and testing - NOTE: 20201130: in #974563. The update itself looks good to me. --- -php-horde-trean - NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver) - NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver) --- -pluxml - NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith) --- -reel - NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) --- -ruby-actionpack-page-caching - NOTE: 20200819: Upstream's patch on does not apply due to subsequent - NOTE: 20200819: refactoring. However, a quick look at the private - NOTE: 20200819: page_cache_file method suggests that the issue exists, as it - NOTE: 20200819: uses the path without normalising any "../" etc., simply - NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby) --- -ruby-doorkeeper - NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh) - NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh) - NOTE: 20200831: more investigation needed. (utkarsh) - NOTE: 20201009: on another note, it needs more investigation if this version is affected in - NOTE: 20201009: the first place or not. (utkarsh) --- -ruby-kaminari - NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to - NOTE: 20200819: the one upstream or in its many forks. For example, both dthe - NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the - NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the - NOTE: 20200819: file has been refactored a few times). (lamby) - NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh) - NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh) - NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch - NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) --- -ruby-oauth --- -salt (Abhijith PA) --- -shiro - NOTE: 20200920: WIP - NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) - NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) --- -slirp (Thorsten Alteholz) - NOTE: Upstream patch for CVE-2020-8608 requires patches for - NOTE: CVE-2020-7039 to be applied patched first, as they both patch - NOTE: the same lines of code in tcp_subr.c (bam). --- -snapd (Brian May) - NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto. - NOTE: Problems with upload. --- -spice-vdagent (Abhijith PA) - NOTE: code base seems largely changed. Pinged upstream for help (abhijith) --- -spip - NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith) --- -webcit (Markus Koschany) - NOTE: 20201130: Requested more information from upstream. Currently patches - NOTE: or workarounds are not available. --- -wireshark - NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include - NOTE: 20201007: those fixes as well! \o/ (utkarsh) - NOTE: 20201108: 2.6.8-1.1 backported as first step - NOTE: 20201108: will try to update wireshark in the next - NOTE: 20201108: buster point release followed by another backport (bunk) - NOTE: 20201123: NMU for unstable prepared as first step (bunk) - NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk) --- -x11vnc (Thorsten Alteholz) --- -xcftools - NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) - NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch - NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby) - NOTE: 20200517: work is ongoing. (gladk) - NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) - NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) --- -xdg-utils (Emilio) - NOTE: 20201122: wait for a while to get the fix exposed in other suites. (utkarsh) --- -xorg-server (Emilio) + NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) +-- +linux-5.10 + NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) +-- +lucene-solr + NOTE: 20240213: Added by Front-Desk (lamby) +-- +nova + NOTE: 20230302: Re-add, request by maintainer (Beuc) + NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression + NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes); + NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch. + NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default). + NOTE: 20230302: Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo) + NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected. + NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely. + NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) + NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) +-- +nss + NOTE: 20240121: Added by Front-Desk (apo) + NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. + NOTE: 20230310: see also: Message-ID: <Zd5GYmuVVIDU54Vv@isildor2.loewenhoehle.ip> (tobi) +-- +nvidia-cuda-toolkit + NOTE: 20230514: Added by Front-Desk (utkarsh) + NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have + NOTE: 20230514: piled up. (utkarsh) + NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html + NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) + NOTE: 20240311: CVE-2020-5991 is fixed in bullseye. However email sent to suggest removal of support. (ola) +-- +nvidia-graphics-drivers + NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release? + NOTE: 20240303: Maybe it's time to mark them EOL? (apo/front-desk) +-- +nvidia-graphics-drivers-legacy-390xx + NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) +-- +pdns-recursor (dleidert) + NOTE: 20240306: Added by Front-Desk (opal) + NOTE: 20240319: Upload postponed due to #1067124 (dleidert) +-- +putty (rouca) + NOTE: 20231224: Added by Front-Desk (ta) + NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) + NOTE: 20230324: Backport is straighforward (rouca) + NOTE: 20230324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 +-- +python-asyncssh + NOTE: 20240116: Added by Front-Desk (lamby) + NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) +-- +rails + NOTE: 20220909: Re-added due to regression (abhijith) + NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) + NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) + NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith) + NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) + NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith) + NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith) + NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith) + NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea + NOTE: 20221024: to break thrice in less than 2 month. + NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) + NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) +-- +ring + NOTE: 20230903: Added by Front-Desk (gladk) + NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) +-- +ruby-rack (Adrian Bunk) + NOTE: 20240306: Added by Front-Desk (opal) +-- +runc + NOTE: 20240312: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. + NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) +-- +samba (Santiago) + NOTE: 20230918: Added by Front-Desk (apo) +-- +sendmail (rouca) + NOTE: 20231224: Added by Front-Desk (ta) + NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) + NOTE: 20240217: Patch extracted and being reviewed (rouca) + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20240311: Re-added to dla-needed.txt; while secteam tagged it no-dsa in later dists, + NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists, + NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk) + NOTE: 20240324: some issue coordinate with myself and security team (rouca) +-- +shim + NOTE: 20240306: Added by Front-Desk (opal) +-- +squid + NOTE: 20240109: Added by Front-Desk (apo) + NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix + NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) +-- +suricata (Adrian Bunk) + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, + NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), + NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk) + NOTE: 20230714: Still reviewing+testing CVEs. (bunk) + NOTE: 20230731: Still reviewing+testing CVEs. (bunk) + NOTE: 20231016: Still reviewing+testing CVEs. (bunk) + NOTE: 20231120: DLA coming soon. (bunk) +-- +tiff (Abhijith PA) + NOTE: 20240314: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and + NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) +-- +tomcat9 (Markus Koschany) + NOTE: 20240121: Added by Front-Desk (apo) +-- +tzdata (Emilio) + NOTE: 20240327: Added by pochu +-- +varnish + NOTE: 20231117: Added by Front-Desk (apo) + NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 + NOTE: 20231219: Continuing work + NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith) + NOTE: 20240122: Still fixing tests (abhijith) + NOTE: 20240213: Fixing tests.(abhijith) +-- +wordpress + NOTE: 20240314: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and + NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) +-- +zabbix (utkarsh) + NOTE: 20240212: Added by Front-Desk (utkarsh) +-- +zookeeper (rouca) + NOTE: 20240324: Added by Front-Desk (ta) -- |