An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To work on a package, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. NOTE: IMPORTANT: during 2022-08, make sure you do NOT conflict with a NOTE: IMPORTANT: prepared upload for buster's last point release, see: NOTE: IMPORTANT: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.debian.org@packages.debian.org;tag=pu -- apache2 NOTE: 20220811: Programming language: C. NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 requesting SRM approval for upload to final buster point release (roberto) NOTE: 20220723: Received upload approval from SRM and uploaded to buster (roberto) NOTE: 20220809: Package is in oldstable-proposed-updates and will be in final buster point release (roberto) -- asterisk (Markus Koschany) NOTE: 20220810: Programming language: C. -- curl (Markus Koschany) NOTE: 20220802: Programming language: C. -- epiphany-browser (Emilio) NOTE: 20220811: Programming language: C. -- freecad NOTE: 20220815: Programming language: Python. NOTE: 20220815: Not all of the vulnerable os.system calls exist in the buster version. (lamby) -- jetty9 (Markus Koschany) NOTE: 20220802: Programming language: Java. -- kicad NOTE: 20220811: Programming language: C++. -- kopanocore (Andreas Rönnquist) NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- linux (Ben Hutchings) -- maven-shared-utils NOTE: 20220813: Programming language: Java NOTE: 20220813: VCS: https://salsa.debian.org/java-team/maven-shared-utils NOTE: 20220813: Maintainer notes: Markus is active in the Java team NOTE: 20220813: Special attention: Relatively high popcon NOTE: 20220813: Patch is relatively high. Please check, whether it can safely be applied (Anton) -- mediawiki (Markus Koschany) NOTE: 20220810: Programming language: PHP. -- ndpi (Anton) NOTE: 20220801: Programming language: C. -- nodejs NOTE: 20220801: Programming language: JavaScript. NOTE: 20220801: one of the upstream fixes doesn't address the security issue -- puma (Abhijith PA) NOTE: 20220801: Programming language: Ruby. -- qemu (Abhijith PA) NOTE: 20220802: Programming language: C. NOTE: 20220802: debdiff of backported fixes was submitted to buster-proposed-updates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and NOTE: 20220802: wcan now be released as DLA instead. The updated packages are/were running fine in a buster ganeti cluster. (jmm) NOTE: 20220808: conflicting pu at https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , needs to be merged (Beuc/abhijith) -- rsync (Stefano Rivera) NOTE: 20220811: Programming language: C. NOTE: 20220811: All patches should be applied. If it is too disruptive - evaluate the CVE`s severity (Anton) -- salt NOTE: 20220814: Programming language: Python NOTE: 20220814: Packages is not in the supported packages by us. NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer verion. (Anton) -- schroot (carnil) NOTE: 20220813: Programming language: C++ NOTE: 20220813: VCS: https://salsa.debian.org/debian/schroot/ NOTE: 20220813: Maintainer notes: Maintainer prepares o-o-stable updates NOTE: 20220813: Debian security team will release DSA and DLA -- zlib (Emilio) NOTE: 20220813: Programming language: C NOTE: 20220813: VCS: https://salsa.debian.org/lts-team/packages/zlib/ NOTE: 20220813: Special attention: Very high popcon. Please test carefully! --