An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- ansible NOTE: 20210411: As discussed with the maintainer I will update Buster first and NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- apache2 (Emilio) -- ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal (lamby) NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola) NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/ NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it). NOTE: 20210118: wip (Emilio) -- condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh) NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto) NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola) -- ffmpeg (Anton Gladky) NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15 NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are NOTE: 20210607: now 10+ ~new CVEs that nominally apply to the version in LTS, NOTE: 20210607: so some investigation and insight is required to see which NOTE: 20210607: apply and/or what we do with the version of ffmpeg in LTS NOTE: 20210607: going forward. There is a 3.4.x release branch, for example, NOTE: 20210607: but unclear on the compatibility as well as whether this one NOTE: 20210607: won't just be dropped too, etc. etc. (lamby) -- gpac (Thorsten Alteholz) NOTE: 20210607: WIP -- htmldoc (Utkarsh Gupta) -- jetty9 (Sylvain Beucler) -- libxstream-java NOTE: 20210603: upstream changed the default security framework to a whitelist, NOTE: 20210603: we should consider checking rdeps and doing the same and announce NOTE: 20210603: that the blocklist is no longer supported, see NOTE: 20210603: https://lists.debian.org/debian-lts/2021/06/msg00001.html (pochu) -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- nettle (Emilio) -- nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- prosody (Anton Gladky) NOTE: 20210519: at least the 10MB limit mentioned in CVE-2021-32918 is present NOTE: 20210530: WIP -- ruby-actionpack-page-caching (Markus Koschany) NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private NOTE: 20200819: page_cache_file method suggests that the issue exists, as it NOTE: 20200819: uses the path without normalising any "../" etc., simply NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby) -- ruby-doorkeeper (Sylvain Beucler) -- ruby-kaminari (Markus Koschany) NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the NOTE: 20200819: file has been refactored a few times). (lamby) NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh) NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh) NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- salt NOTE: 20210329: WIP (utkarsh) NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh) NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh) NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh) -- shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) NOTE: 20210511: Upstream provided suggestions/guidance on testing of backported fixes; testing/tweaking is in progress. (roberto) -- slapi-nis (Thorsten Alteholz) NOTE: 20210607: WIP -- sogo (Anton Gladky) NOTE: 20210603: maybe mention in announcement the recommendation to invalidate user NOTE: 20210603: sessions (see upstream blog). (pochu) -- squid3 (Abhijith PA) NOTE: 20210523: not sure whether all CVEs realy affect Stretch NOTE: 20210528: Looks like all CVEs affect stretch. (Ola) NOTE: 20210528: For some buildRangeHeader has just moved from one file to another. (Ola) NOTE: 20210603: I'm working on a ELTS fix and it's the same version, WIP backported patches at: NOTE: 20210603: https://www.beuc.net/tmp/debian-elts/squid3/ (Beuc) NOTE: 20210609: https://deb.freexian.com/extended-lts/pool/main/s/squid3/ (Beuc) -- xmlbeans NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to NOTE: 20210222: implement the changes without introducing too much new code. (roberto) NOTE: 20210309: Have developed a minimal backport that accomplishes necessary security NOTE: 20210309: fix with minimal new code. (roberto) NOTE: 20210527: My hope is to [...] pick back up on xmlbeans for both LTS and ELTS at the start of June NOTE: 20210601: claimed in ELTS by apo --