An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
adminer (Chris Lamb)
  NOTE: 20220409: please recheck whether Stretch is really vulnerable (Thorsten Alteholz)
  NOTE: 20220414: https://sourceforge.net/p/adminer/discussion/960419/thread/1b64510b71/?limit=25#2971 (lamby)
  NOTE: 20220421: pinged upstream (lamby)
--
ansible
  NOTE: 20210411: As discussed with the maintainer I will update Buster first and
  NOTE: 20210411: after that LTS. (apo)
  NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
  NOTE: 20220427: Lee Garrett (maintainer) took over the work a while ago. See
  NOTE: 20220427: https://salsa.debian.org/debian/ansible/-/commits/stretch/
--
asterisk
--
cgal
  NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without an uploading of a new upstream release (Anton)
--
ckeditor
  NOTE: 20220402: multiple pendings vulnerabilities (Beuc)
--
debian-security-support (Utkarsh)
  NOTE: 20220402: need to update the list of unsupported packages (Beuc)
  NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc)
  NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg00000.html (Beuc)
  NOTE: 20220419: backport prepped, will contact Holger for more details. (utkarsh)
--
epiphany-browser
  NOTE: 20220422: please try to reproduce and be careful with the patch applying.
  NOTE: 20220422: It cannot be applied one-to-one, but affected lines can be found. (Anton)
  NOTE: 20220423: Is stretch really affected? - I can reproduce with Buster and
  NOTE: 20220423: Bullseye versions, but not Stretch - error seems to be caused
  NOTE: 20220423: by https://gitlab.gnome.org/GNOME/epiphany/-/commit/232c613472b38ff0d0d97338f366024ddb9cd228
  NOTE: 20220423: (May 21, 2018), while the stretch version is from 2017. (Andreas)
--
firmware-nonfree
  NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
  NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
  NOTE: 20211207: Intend to release this week.
--
gerbv
  NOTE: 20220321: WIP https://salsa.debian.org/lts-team/packages/gerbv (Anton)
  NOTE: 20220326: CVE-2021-40401 is fixed https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch (Anton)
  NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton)
--
ghostscript (Markus Koschany)
--
golang-go.crypto
  NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc)
--
gpac (Roberto C. Sánchez)
  NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto)
  NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)
  NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto)
  NOTE: 20220305: There are many dozens of open CVEs, it will take a while yet (roberto)
  NOTE: 20220413: New CVEs continue flooding in (roberto)
  NOTE: 20220427: Preparing to work with security team to declare EOL (roberto)
--
icingaweb2 (Abhijith PA)
--
intel-microcode
  NOTE: 20220213: please recheck
--
jackson-databind
  NOTE: 20220320: wait for complete upstream fix (apo)
--
kicad
--
kvmtool
  NOTE: 20220402: stretch-specific, orphaned package (Beuc)
  NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc)
--
libarchive (Thorsten Alteholz)
  NOTE: 20220423: still testing, some tests still fail
--
liblouis
  NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN
  NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too.
--
libpgjava
--
libvirt (Thorsten Alteholz)
  NOTE: 20220423: wait for upload in newer releases, dependency loop seems to be resolved now
--
libz-mingw-w64
  NOTE: 20220231: upcoming DSA (Beuc)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mariadb-10.1
  NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton)
--
mbedtls (Utkarsh)
  NOTE: 20220404: update prepared, needs testing. (utkarsh)
  NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh)
--
mruby
--
mutt (Utkarsh)
--
nvidia-cuda-toolkit
   NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc)
--
nvidia-graphics-drivers
   NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc)
   NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential
   NOTE: 20220209: backport (apo)
--
openjdk-8 (pochu)
--
openvpn (Emilio)
  NOTE: 20220402: harmonize with buster/10.10 (Beuc)
--
pdns
  NOTE: 20220402: harmonize with buster/10.8 (Beuc)
--
puma
--
puppet-module-puppetlabs-firewall
  NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc)
--
ring (Abhijith PA)
 NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
 NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith)
 NOTE: 20220404: a network error (abhijith)
--
ruby-devise-two-factor
 NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result
 NOTE: 20220427: of an incomplete fix to CVE-2015-7225. Will require some investigation. (lamby)
--
salt
--
samba
  NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
  NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton)
  NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
  NOTE: 20220125: ftbfs, wip. (utkarsh)
--
smarty3
--
snapd
  NOTE: 20220308: seems vulnerable at least to setup_private_mount,
  NOTE: 20220308: but double check (pochu)
--
sox
  NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton)
  NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton)
--
subversion (Roberto C. Sánchez)
  NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment)
  NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby)
--
tiff (Utkarsh)
  NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff.
  NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh)
  NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh)
--
twig
  NOTE: 20220402: cf. DSA-5107-1; similar code in lib/Twig/Extension/Core.php (Beuc)
--
twisted (Stefano Rivera)
--
unzip
  NOTE: 20220319: no patches yet but reproducible (apo)
  NOTE: 20220429: CVE-2022-0530: reported #1010355 with a proposed patch (enrico)
  NOTE: 20220429: CVE-2022-0529: sent a proposed patch to sanvila and team@s.d.o (enrico)
--
vim (Markus Koschany)
--
waitress
  NOTE: 20220320: I am not sure if we should ignore CVE-2022-24761 as it is
  NOTE: 20220320: basically another HTTP parsing error and a workaround exists
  NOTE: 20220320: or if we should overhaul the package and fix everything
  NOTE: 20220320: instead. Someone with more Python knowledge should take another look
  NOTE: 20220320: at it. (apo)
--