An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ansible NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666 NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable. NOTE: 20200506: (lamby) NOTE: 20200508: bam: Problem exists with new files only. Existing files NOTE: 20200508: bam: code resets permissions to same value, should be fine. NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970 NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- batik (Emilio) -- cacti (Abhijith PA) NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) NOTE: 20200620: WIP (abhijith) NOTE: 20200629: Working on the patch (abhijith) NOTE: 20200701: Patch for CVE-2020-7237 should also be included for Stretch LTS. (utkarsh) -- ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) -- condor (Roberto C. Sánchez) NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh) NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto) -- curl (Thorsten Alteholz) -- ffmpeg (Adrian Bunk) NOTE: 20200707: Vulnerable to at least CVE-2020-13904. (lamby) -- firefox-esr (Emilio) -- freerdp NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) -- fwupd (Chris Lamb) -- glib-networking (Emilio) -- gupnp -- imagemagick (Markus Koschany) NOTE: 20200622: Ongoing work -- jruby NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- mercurial NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith) -- net-snmp (Sylvain Beucler) NOTE: 20200628: be aware of the ABI break introduced by the patches! (thorsten) -- nginx NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- nss (Adrian Bunk) NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc) -- opendmarc (Thorsten Alteholz) NOTE: 20200621: testing package (thorsten) -- openjpeg2 (Utkarsh Gupta) -- python3.5 (Sylvain Beucler) -- qemu (Utkarsh Gupta) -- rails (Sylvain Beucler) NOTE: 20200706: coordinating/reviewing stretch update with security and ruby teams NOTE: 20200706: https://lists.debian.org/debian-lts/2020/06/msg00095.html NOTE: 20200706: got regression claim but probably erroneous NOTE: 20200706: https://lists.debian.org/debian-lts/2020/07/msg00033.html -- ruby-rack (Utkarsh Gupta) NOTE: probably not affected (parse_cookies_header() is not available in Jessie, but code might hide somewhere else) (thorsten) -- samba (Roberto C. Sánchez) NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) -- shiro (Chris Lamb) NOTE: 20200629: Taking this now as I did the last upload. (lamby) NOTE: 20200701: CVE-2020-1957's patch should also be included for Stretch LTS. (utkarsh) -- squid3 (Markus Koschany) NOTE: 20200622: https://people.debian.org/~apo/lts/squid3/ NOTE: 20200622: Patch for CVE-2019-12523 almost complete. -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) NOTE: 20200525: But that is weird, given their announcement. (utkarsh) NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh) NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh) NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh) NOTE: 20200604: the upload is ready but has been put on hold for a while. (utkarsh) NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh) NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh) -- tomcat8 (Markus Koschany) NOTE: 20200701: CVE-2020-9484's patch should also be included for Stretch LTS. (utkarsh) -- unbound NOTE: 20200616: Package unsupported. NOTE: 20200616: Not possible to update debian-security-support package in Jessie. NOTE: 20200616: https://lists.debian.org/debian-lts/2020/06/msg00038.html (bam) -- wpa (Abhijith PA) -- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby) NOTE: 20200517: work is ongoing. (gladk) NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) --