diff options
Diffstat (limited to 'data/dla-needed.txt')
| -rw-r--r-- | data/dla-needed.txt | 403 |
1 files changed, 318 insertions, 85 deletions
diff --git a/data/dla-needed.txt b/data/dla-needed.txt index f4a0c0e35b..33f9d69953 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -1,115 +1,348 @@ An LTS security update is needed for the following source packages. -When you add a new entry, please keep the list alphabetically sorted. + +To add a new entry, please coordinate with this week's Front-Desk +person, and use the 'package-operations' LTS tool. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. -To pick an issue, simply add your name behind it. To learn more about how +When checking what packages to work on, use: +$ ./find-work +from the LTS admin repository, to sort packages by priority and +display important notes about the package (special attention, VCS, +testing procedures, programming language, etc.). + +To work on a package, simply add your name behind it. To learn more about how this list is updated have a look at -https://wiki.debian.org/LTS/Development#Triage_new_security_issues +https://lts-team.pages.debian.net/wiki/Development.html#triage-new-security-issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -amd64-microcode - NOTE: 20210831: no binary package was built, possibly due to non-free-specific rules - NOTE: 20210831: https://lists.debian.org/debian-lts/2021/08/msg00033.html - NOTE: 20210912: https://lists.debian.org/debian-lts/2021/09/msg00018.html (utkarsh) +ansible (debian) + NOTE: 20231202: Added by Front-Desk (Beuc) + NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021 + NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to + NOTE: 20231202: assess/fix the situation. + NOTE: 20231217: Begin to triage CVEs (rouca) + NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) + NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee +-- +apache2 + NOTE: 20240418: Added by Front-Desk (apo) +-- +astropy (Chris Lamb) + NOTE: 20240421: Added by Front-Desk (apo) +-- +atril + NOTE: 20240121: Added by Front-Desk (apo) + NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. + NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ + NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) +-- +bind9 (Santiago) + NOTE: 20240218: Added by Front-Desk (lamby) + NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) + NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and package builds fine. + NOTE: 20240418: https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96 + NOTE: 20240418: All testing activities remains. +-- +dnsmasq + NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240325: Automatically unassigned (lamby) + NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby) + NOTE: 20240403: Re-assigned back to dleidert; see thread. (lamby) +-- +docker.io + NOTE: 20230303: Added by Front-Desk (Beuc) + NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) + NOTE: 20230424: Is in preparation. (gladk) + NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html + NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) + NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20230311: Reverted decision to remove from this file since three CVEs are in bullseye. (ola) + NOTE: 20240407: Version 18.09.1+dfsg1-7.1+deb10u4 in Git has not been uploaded yet. (dleidert) +-- +dogecoin + NOTE: 20230619: Added by Front-Desk (Beuc) + NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream, + NOTE: 20230619: I suggest pinging/coordinating with upstream to know the current status; + NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; + NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) +-- +edk2 + NOTE: 20231230: Added by Front-Desk (lamby) + NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) + NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) +-- +emacs (Sean Whitton) + NOTE: 20240403: Added by Front-Desk (lamby) + NOTE: 20240403: Needs someone with a little familiarity with Lisp — by my + NOTE: 20240403: eye, the version of emacs in LTS may not be vulnerable to, + NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable + NOTE: 20240403: to CVE-2024-30203. (lamby) + NOTE: 20240422: Making progress through bookworm,bullseye,buster. + NOTE: 20240422: No major blockers, just taking some backporting. (spwhitton) -- -ansible (Lee Garrett) - NOTE: 20210411: As discussed with the maintainer I will update Buster first and - NOTE: 20210411: after that LTS. (apo) - NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ +freeimage + NOTE: 20240320: Added by Front-Desk (ta) + NOTE: 20240320: lots of postponed issue could be fixed as well + NOTE: 20240325: Lack of upstream activity, + NOTE: 20240325: postponed issues are "Revisit when fixed upstream (bunk) + NOTE: 20240410: See discussion at: https://lists.debian.org/debian-lts/2024/04/threads.html#00012 + NOTE: 20240411: Added some postpone tags for DoS class and removed some where + NOTE: 20240411: patch is available and has arbitrary code exec class. (ola) + NOTE: 20240412: ELTS also have a need to update this package. + NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola) -- -debian-archive-keyring (Utkarsh) - NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html - NOTE: 20210920: Raphael answered. will backport today. (utkarsh) - NOTE: 20211003: waiting for Jonathan to get back as his keys - NOTE: 20211003: seemed to have expired and the build is thus - NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh) +frr (tobi) + NOTE: 20231119: Added by Front-Desk (apo) + NOTE: 20240206: Continuing fixing the remaining issues (abhijith) + NOTE: 20240301: continue work (abhijith) -- -exiv2 (Thorsten Alteholz) - NOTE: 20211010: WIP, also taking care of older issues +glibc (Adrian Bunk) + NOTE: 20240419: Added by coordinator (santiago) -- -faad2 (Thorsten Alteholz) - NOTE: 20211010: WIP, also taking care of older issues +gunicorn + NOTE: 20240421: Added by Front-Desk (apo) -- -ffmpeg (Anton Gladky) - NOTE: probably wait until stuff is fixed in Buster - NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/ffmpeg +h2o (dleidert) + NOTE: 20231228: Added by Front-Desk (lamby) -- -firefox-esr (Emilio) +i2p + NOTE: 20230809: Added by Front-Desk (Beuc) + NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- -firmware-nonfree - NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree - NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag +jenkins-htmlunit-core-js + NOTE: 20231231: Added by Front-Desk (lamby) + NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance + NOTE: 20231231: … suggests that the embedded copy of htmlunit is very old and may + NOTE: 20231231: … not even support XLST processing. However, it does use the + NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may + NOTE: 20231231: … indeed be vulnerable. (lamby) -- -jsoup (Markus Koschany) +knot-resolver + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libreoffice (Sylvain Beucler) +less (Abhijith PA) + NOTE: 20240418: Added by Front-Desk (apo) +-- +libmojolicious-perl + NOTE: 20240421: Added by Front-Desk (apo) +-- +libpgjava + NOTE: 20240308: Added by Front-Desk (opal) +-- +libreswan + NOTE: 20230817: Added by Front-Desk (ta) + NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to + NOTE: 20230909: https://salsa.debian.org/lts-team/packages/libreswan.git on the experimental + NOTE: 20230909: branch. Upstream patch for CVE-2023-38710 does not apply at + NOTE: 20230909: all due to code refactoring. I intend to package the version + NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo) +-- +libssh + NOTE: 20231219: Added by Front-Desk (ta) + NOTE: 20240225: Patches backported, tests pass. Backports needs review. + NOTE: 20240225: Re CVE-2023-48795: untested that Terrapin is actually + NOTE: 20240225: mitigated. Upstream have provided some input on doing that: + NOTE: 20240225: <https://archive.libssh.org/libssh/2024-01/0000000.html> + NOTE: 20240225: (spwhitton). + NOTE: 20240227: Re CVE-2023-6918: commit 3eb99562 is simply to fix + NOTE: 20240227: the build. It is currently unknown whether it is safe. + NOTE: 20240227: Upstream have provided some feedback on the issue: + NOTE: 20240227: <https://archive.libssh.org/libssh/2024-02/0000009.html> + NOTE: 20240227: (spwhitton). +-- +libstb + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20231029: A lot of open CVEs. Maybe duplicates. + NOTE: 20231029: If you take a package, please evaluate it as well as its importance. + NOTE: 20231119: None of the new CVE fixes has been reviewed by upstream so far, + NOTE: 20231119: and in the past CVE fixes have caused regressions. + NOTE: 20231119: Wait for upstream merge of fixes (and fixing in unstable). (bunk) + NOTE: 20230314: Reverted decision to remove from this file since + NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in bullseye + NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- linux (Ben Hutchings) + NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) +-- +linux-5.10 + NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -linux-4.19 (Ben Hutchings) +mediawiki (guilhem) + NOTE: 20240406: Added by Front-Desk (lamby) + NOTE: 20240406: Added to address "TEMP-0000000-519C2D" at the time of writing. (lamby) -- -mosquitto - NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) - NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) +netty + NOTE: 20240419: Added by Front-Desk (apo) -- -nghttp2 (Anton Gladky) - NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/nghttp2 +nghttp2 + NOTE: 20240421: Added by Front-Desk (apo) -- -ntfs-3g (Anton Gladky) +nodejs (guilhem) + NOTE: 20240406: Added by Front-Desk (lamby) +-- +nova + NOTE: 20230302: Re-add, request by maintainer (Beuc) + NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression + NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes); + NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch. + NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default). + NOTE: 20230302: Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo) + NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected. + NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely. + NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) + NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) +-- +nss + NOTE: 20240121: Added by Front-Desk (apo) + NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90.x (their LTS version) available and backport from there. + NOTE: 20240310: see also: Message-ID: <Zd5GYmuVVIDU54Vv@isildor2.loewenhoehle.ip> + NOTE: 20240310: (2024-02-27 [deblts-team@freexian.com] Re: Current status: nss for buster) (tobi) +-- +nvidia-cuda-toolkit + NOTE: 20230514: Added by Front-Desk (utkarsh) + NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have + NOTE: 20230514: piled up. (utkarsh) + NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html + NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) + NOTE: 20240311: CVE-2020-5991 is fixed in bullseye. However email sent to suggest removal of support. (ola) -- nvidia-graphics-drivers - NOTE: package is in non-free but also in packages-to-support - NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 --- -openssh (Utkarsh) - NOTE: 20211003: a backporting error for CVE-2018-15473 was reported in - NOTE: 20211003: Ubuntu (and can see the same code differences here); - NOTE: 20211003: check if that needs to be fixed; talking to -security. - NOTE: 20211003: also CVE-2021-41617 is new; might be a good idea to - NOTE: 20211003: club both these together. (utkarsh) --- -python-babel - NOTE: 20210617: CVE-2021-20095 withdrawn, cf. 251b6e33 and #987824 (abhijith) - NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith) - NOTE: 20210620: Revisit when it has an assigned CVE ID (abhijith) --- -python3.5 (Utkarsh) - NOTE: 20211003: whilst looks like a no-dsa/postponed candidate on a - NOTE: 20211003: quick look, Canonical issued an update via the ESM - NOTE: 20211003: pocket. Needs another look. (utkarsh) --- -redis (Chris Lamb) - NOTE: 20211004: Fixed in sid and experimental. (lamby) - NOTE: 20211006: buster-pu filed in #995825. (lamby) --- -redmine - NOTE: 20211013: Issue appears to be private, so may require comparison of release - NOTE: 20211013: tarballs to find upstream changeset. (lamby) --- -rustc - NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable - NOTE: https://bugs.debian.org/928422 - NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk) --- -salt - NOTE: 20210329: WIP (utkarsh) - NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh) - NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh) - NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh) - NOTE: 20210816: will test the provided debdiff; needs testing as regression spotted. (utkarsh) --- -smarty3 (Markus Koschany) - NOTE: 20210829: Track regression (abhijith) - NOTE: 20210906: prepared a build for testing. Waiting for bug submitter's reply (abhijith) --- -squashfs-tools (Thorsten Alteholz) - NOTE: 20211010: coordinate with upload to other releases --- -thunderbird (Emilio) + NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release? + NOTE: 20240303: Maybe it's time to mark them EOL? (apo/front-desk) +-- +nvidia-graphics-drivers-legacy-390xx + NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) +-- +org-mode + NOTE: 20240405: Added by Front-Desk (lamby) +-- +pdns-recursor + NOTE: 20240306: Added by Front-Desk (opal) + NOTE: 20240319: Upload postponed due to #1067124 (dleidert) +-- +php7.3 (Markus Koschany) + NOTE: 20240421: Added by Front-Desk (apo) +-- +putty (rouca) + NOTE: 20231224: Added by Front-Desk (ta) + NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca) + NOTE: 20240324: Backport is straighforward (rouca) + NOTE: 20240324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104 + NOTE: 20240412: Wait for comments by maintainer +-- +pymongo + NOTE: 20240420: Added by Front-Desk (apo) +-- +python-asyncssh + NOTE: 20240116: Added by Front-Desk (lamby) + NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) +-- +python-idna + NOTE: 20240421: Added by Front-Desk (apo) +-- +rails + NOTE: 20220909: Re-added due to regression (abhijith) + NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) + NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) + NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith) + NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) + NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith) + NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith) + NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith) + NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea + NOTE: 20221024: to break thrice in less than 2 month. + NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) + NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) +-- +ring + NOTE: 20230903: Added by Front-Desk (gladk) + NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) +-- +ruby-rack (Adrian Bunk) + NOTE: 20240306: Added by Front-Desk (opal) + NOTE: 20240408: waiting for feedback from Debian maintainer (bunk) +-- +runc (dleidert) + NOTE: 20240312: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. + NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) +-- +sendmail (rouca) + NOTE: 20231224: Added by Front-Desk (ta) + NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) + NOTE: 20240217: Patch extracted and being reviewed (rouca) + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20240311: Re-added to dla-needed.txt; while secteam tagged it no-dsa in later dists, + NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists, + NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk) + NOTE: 20240324: some issue coordinate with myself and security team (rouca) +-- +shim (rouca) + NOTE: 20240306: Added by Front-Desk (opal) + NOTE: 20240415: https://salsa.debian.org/efi-team/shim/-/merge_requests/13 +-- +squid + NOTE: 20240109: Added by Front-Desk (apo) + NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix + NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo) +-- +suricata (Adrian Bunk) + NOTE: 20230620: Added by Front-Desk (Beuc) + NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, + NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), + NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk) + NOTE: 20230714: Still reviewing+testing CVEs. (bunk) + NOTE: 20230731: Still reviewing+testing CVEs. (bunk) + NOTE: 20231016: Still reviewing+testing CVEs. (bunk) + NOTE: 20231120: DLA coming soon. (bunk) +-- +tiff (Thorsten Alteholz) + NOTE: 20240314: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and + NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) +-- +tinymce + NOTE: 20231123: Added by Front-Desk (ola) + NOTE: 20231216: Someone with more XSS experience needed to assess the + NOTE: 20231216: severity of CVE-2023-48219. Also not clear to me that + NOTE: 20231216: upstream's patch is backportable, as the code has changed a + NOTE: 20231216: lot. (spwhitton) +-- +trafficserver (Adrian Bunk) + NOTE: 20240421: Added by Front-Desk (apo) +-- +tryton-server (Markus Koschany) + NOTE: 20240421: Added by Front-Desk (apo) + NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that + NOTE: 20240421: being resolved upstream. +-- +varnish + NOTE: 20231117: Added by Front-Desk (apo) + NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 + NOTE: 20231219: Continuing work + NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith) + NOTE: 20240122: Still fixing tests (abhijith) + NOTE: 20240213: Fixing tests.(abhijith) +-- +wordpress + NOTE: 20240314: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and + NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto) +-- +zabbix (Adrian Bunk) + NOTE: 20240212: Added by Front-Desk (utkarsh) +-- +zookeeper + NOTE: 20240324: Added by Front-Desk (ta) -- |