An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

NOTE: IMPORTANT: during 2022-08, make sure you do NOT conflict with a
NOTE: IMPORTANT: prepared upload for buster's last point release, see:
NOTE: IMPORTANT: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.debian.org@packages.debian.org;tag=pu

--
apache2
  NOTE: 20220811: Programming language: C.
  NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 requesting SRM approval for upload to final buster point release (roberto)
  NOTE: 20220723: Received upload approval from SRM and uploaded to buster (roberto)
  NOTE: 20220809: Package is in oldstable-proposed-updates and will be in final buster point release (roberto)
--
asterisk (Markus Koschany)
--
curl (Markus Koschany)
--
gnutls28 (Emilio)
  NOTE: 20220810: there's an update in opu, checked with SRM, will upload with higher
  NOTE: 20220810: version and including the changes in opu to -security (pochu)
--
jetty9 (Markus Koschany)
--
kopanocore
--
libtirpc (Emilio)
--
linux (Ben Hutchings)
--
mediawiki (Markus Koschany)
--
ndpi
--
nodejs
  one of the upstream fixes doesn't address the security issue
--
puma
--
rsync
  NOTE: 20220811: Programming language: C.
  NOTE: 20220811: All patches should be applied. If it is too disruptive - evaluate the CVE severity (Anton)
--
qemu (Abhijith PA)
  NOTE: 20220802: debdiff of backported fixes was submitted to buster-proposed-updates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and
  NOTE: 20220802: wcan now be released as DLA instead. The updated packages are/were running fine in a buster ganeti cluster. (jmm)
  NOTE: 20220808: conflicting pu at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , needs to be merged (Beuc/abhijith)
--