An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To work on a package, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- cacti NOTE: 20221208: Programming language: PHP. -- ceph NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. NOTE: 20221031: What should be checked is whether any user with ceph permission can do the actions described in the exploit. (ola/front-desk) NOTE: 20221130: CVE-2022-3650: The patch is kind of trivial Python stuff backporting work. NOTE: 20221130: Can someone take care of it in Buster? I'm currently building the Bullseye backport of the fix... NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) -- consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- curl (Roberto C. Sánchez) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- exiv2 NOTE: 20221119: Programming language: C. -- firmware-nonfree (Markus Koschany) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) -- fusiondirectory NOTE: 20221203: Programming language: PHP. NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). NOTE: 20221203: Also the package was removed from sid recently (gladk). NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). -- fwupd NOTE: 20221003: Programming language: C++. -- git (Sylvain Beucler) NOTE: 20221031: Programming language: C. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/git.git -- golang-1.11 NOTE: 20220916: Programming language: Go. NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk) NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921 -- golang-github-nats-io-jwt NOTE: 20221109: Programming language: Go. NOTE: 20221109: Special attention: limited support, cf. buster release notes; not in bullseye -- golang-go.crypto NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) NOTE: 20220915: Special attention: limited support, cf. buster release notes NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1 NOTE: 20220915: Special attention: also check bullseye status -- golang-websocket NOTE: 20220915: Programming language: Go. NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- hsqldb (Markus Koschany) NOTE: 20221031: Programming language: Java. NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. -- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) -- kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) -- lava NOTE: 20221127: Programming language: Python. -- libapreq2 NOTE: 20221031: Programming language: C. -- libde265 NOTE: 20221107: Programming language: C++. NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) -- libetpan NOTE: 20221203: Programming language: C++. NOTE: 20221203: VCS: https://salsa.debian.org/lts-team/packages/libetpan.git -- libreoffice NOTE: 20221012: Programming language: C++. -- libsdl2 NOTE: 20221111: Programming language: C. NOTE: 20221111: Sync with jessie/stretch/bullseye (Beuc/front-desk) -- libstb NOTE: 20221111: Programming language: C. -- linux (Ben Hutchings) -- man2html NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- mbedtls NOTE: 20220821: Programming language: C. -- modsecurity-crs NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. -- mplayer NOTE: 20221009: Programming language: C. NOTE: 20221009: Many open CVEs. -- multipath-tools NOTE: 20221029: Programming language: C. NOTE: 20221029: Special attention: root privilege escalation. -- net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. -- netatalk (gladk) NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- nextcloud-desktop NOTE: 20221128: Programming language: C++. NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop NOTE: 20221128: Please coordinate with maintainer the usage of their git-repo (gladk). -- node-css-what NOTE: 20221031: Programming language: Javascript. -- node-eventsource (guilhem) NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.4 (Beuc/front-desk) -- node-follow-redirects NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk) -- node-got NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.4 (Beuc/front-desk) -- node-hawk NOTE: 20221204: Programming language: Javascript. NOTE: 20221204: VCS: https://salsa.debian.org/lts-team/packages/node-hawk.git -- node-loader-utils NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk) -- node-moment (Utkarsh) NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) -- node-nth-check NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk) -- node-object-path NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.1 (Beuc/front-desk) -- node-set-value NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.1 (Beuc/front-desk) -- node-tar NOTE: 20220907: Programming language: JavaScript. -- node-trim-newlines NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk) -- node-url-parse NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk) -- node-xmldom NOTE: 20221130: Programming language: JavaScript. NOTE: 20221130: VCS: https://salsa.debian.org/lts-team/packages/node-xmldom.git NOTE: 20221130: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 (gladk). -- nodejs NOTE: 20221105: Programming language: Javascript, C/C++, Python NOTE: 20221105: VCS: https://salsa.debian.org/lts-team/packages/nodejs.git NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster. -- openexr (Markus Koschany) NOTE: 20220904: Programming language: C++. NOTE: 20220904: Should be synced with Stretch. (apo) -- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports), NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk) NOTE: 20221110: upcoming DSA (Beuc/front-desk) -- php7.3 NOTE: 20221031: Programming language: C. NOTE: 20221031: CVE-2022-37454 is what is of most concern. -- pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- pngcheck NOTE: 20221127: Programming language: C. -- protobuf NOTE: 20221031: Programming language: Several. NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. -- puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. -- qemu NOTE: 20221108: Programming language: C. NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch, NOTE: 20221108: there's about half of them that can be fixed now (or definitely ignored if backporting is too risky/complex) (Beuc/front-desk) -- r-cran-commonmark NOTE: 20221009: Programming language: R. NOTE: 20221009: Please synchronize with ghostwriter. -- rails NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith) NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith) NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith) NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith) NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea NOTE: 20221024: to break thrice in less than 2 month. -- rainloop NOTE: 20220913: Programming language: PHP, JavaScript. NOTE: 20220913: Special attention: orphaned as of 2022-09. NOTE: 20220913: Upstream appeared dead but there was activity 2 weeks ago, NOTE: 20220913: a "SnappyMail" fork exists and may have patches we can use, NOTE: 20220913: also there's an unofficial one for CVE-2022-29360; NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- ring NOTE: 20221120: Programming language: C. -- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. -- salt NOTE: 20220814: Programming language: Python. NOTE: 20220814: Packages is not in the supported packages by us. NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer verion. (Anton) -- samba NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git NOTE: 20220904: Special attention: High popcon! Used in many servers. NOTE: 20220904: Many postponed or open CVE in general. (apo) -- snort NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. -- sox NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- tiff NOTE: 20221031: Programming language: C. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/tiff.git -- trafficserver NOTE: 20220905: Programming language: C. NOTE: 20221024: WIP, big changeset in security fix (abhijith) NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith) NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith) -- xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet -- zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. --