An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- clamav (Hugo Lefeuvre) NOTE: 20200127: waiting for 0.102.1 to enter stretch/buster. NOTE: 0.102.* introduces a fair amount of ABI changes, and the migration NOTE: does not seem very smooth from the perspective of users. The release NOTE: team would like to wait for an init script for the new clamonacc NOTE: binary, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946557 -- hiredis (Chris Lamb) NOTE: 20200118: no upstream patches, yet, but should be easy to fix (sunweaver) NOTE: 20200119: submitted patch upstream (lamby) NOTE: 20200123: various alternative approaches being discussed upstream (lamby) NOTE: 20200123: new PR opened upstream (lamby) -- ibus NOTE: 20191210: Requires glib2.0 to be patched also. NOTE: 20191210: See https://bugs.debian.org/941018 NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 -- intel-microcode -- jackson-databind NOTE: 20200105: Can be postponed again. (apo) -- libexif NOTE: 20191111: Contacted upstream for relevant commits of CVE-2019-9278. (utkarsh2102) NOTE: 20191114: Pinged upstream; just have the Android patch yet. (utkarsh2102) NOTE: 20191118: No patch yet. Shall claim and fix once the patch is available. (utkarsh2102) NOTE: 20191201: Pinged the upstream yet again. (utkarsh2102) NOTE: 20191216: The android patch does not apply but is easy to manually apply. (ola) NOTE: 20191216: The problem is the file to trigger the fault is not known. (ola) NOTE: 20200111: Investigated the issue, currently in contact with Ray Essick @google NOTE: 20200111: to get access to the reproducer. (hle) -- libjackson-json-java (Adrian Bunk) NOTE: 20200127: work is ongoing -- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. NOTE: 20190428: most patches can be applied after context adaption NOTE: 20190428: all CVEs are from one fuzzing attempt NOTE: 20190428: some CVE testcases pass on the unpatched version, NOTE: 20190428: but since the fixes can be made applied the code NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them NOTE: 20200127: work is ongoing -- libxmlrpc3-java (Roberto C. Sánchez) -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- nss (Markus Koschany) NOTE: 20200127: Fix for CVE-2019-17023 requires more work and testing but NOTE: release is planned for this week. -- opendmarc (Thorsten Alteholz) NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing -- openjdk-7 (Emilio) -- openjpeg2 (Mike Gabriel) NOTE: 20200130: re-adding package again, after I just fixed CVE-2020-6851. Obviously a similar NOTE: 20200130: issue but different cause. -- python-pysaml2 (Abhijith PA) -- python-reportlab (Hugo Lefeuvre) NOTE: 20200127: upstream fix was published, but potentially unsuitable. currently investigating. -- qemu (Utkarsh Gupta) NOTE: 20200118: embedded libslirp in qemu/jessie is affected. (sunweaver) NOTE: 20200119: Sent RFT to the list. (utkarsh2102) -- radare2 NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. NOTE: Also note that there is a r2-pwnDebian challenge... NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo) NOTE: Support status is being discussed at: NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html -- ruby-rack NOTE: 20191219: The security update causes a regression and also, there's a NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) -- ruby-rack-cors (Utkarsh Gupta) -- salt NOTE: 20200118: about CVE-2019-17361... Compared to the upstream fix, there is a NOTE: 20200118: very similar code passage in salt/jessie's salt/client/api.py file. NOTE: 20200118: Needs to be checked, if that code is vulnerable or not. -- slurm-llnl NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc NOTE: Regression found. (abhijith) -- squid3 NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that NOTE: 20200116: addresses the vulnerabilities. (roberto) NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy NOTE: 20200120: to add those checks without introducing SBuf. (Ola) NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more NOTE: 20200120: details on the intention. (Ola) -- storebackup (Utkarsh Gupta) -- tomcat8 (Abhijith PA) NOTE: 20200106: Almost done. Working on failing testcase. -- wordpress NOTE: 20200118: Maybe affected, needs deeper triaging, no obvious commits NOTE: 20200118: referenced upstream. (sunweaver) -- xcftools (Hugo Lefeuvre) NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review. NOTE: but I might just not receive any review any time soon, so I will now attempt to NOTE: fix the second issue and move on with the update. NOTE: 20200127: ongoing -- xen -- xerces-c (Hugo Lefeuvre) NOTE: 20191231: There is no upstream patch yet. (apo) NOTE: 20200118: There is still no upstream patch. (lamby) -- yara NOTE: 20191212: no upstream fix yet NOTE: 20200119: still no upstream fix (daissi) --