An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- ansible (Lee Garrett) NOTE: 20210411: As discussed with the maintainer I will update Buster first and NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- apache2 (Anton) NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton) -- apng2gif NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk) -- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) NOTE: 20211003: waiting for Jonathan to get back as his keys NOTE: 20211003: seemed to have expired and the build is thus NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh) NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- expat (Markus Koschany) -- firefox-esr (Emilio) -- firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag NOTE: 20211207: Intend to release this week. -- flatpak NOTE: 20220113: upcoming DSA; non-trivial backport (Beuc) -- gif2apng NOTE: 20220114: orphaned package with inactive upstream, maybe coordinate with Debian QA to write our own patches (Beuc) NOTE: 20220114: CVEs unrelated to apng2gif's (Beuc) -- golang-1.7 NOTE: 20220114: harmonize with bullseye-11.2 (CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717) (Beuc) -- golang-1.8 NOTE: 20220114: harmonize with bullseye-11.2 (CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717) (Beuc) -- gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- guacamole-client NOTE: 20220114: package unmaintained AFAICS and only present in stretch (Beuc) -- libarchive (Thorsten Alteholz) NOTE: 20220102: testing package -- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed NOTE: 20211029: for jessie in DLA-1477-1 and should also be fixed in stretch NOTE: 20211029: 4 other CVEs might also be worth fixing (bunk) NOTE: 20211029: taking this with my maintainer hat on; will investigate NOTE: 20211029: and TAL later next week. (utkarsh) NOTE: 20211116: backports prepped; checking build and smoke-testing package. (utkarsh) NOTE: 20211129: readied up everything, using pygit and other wrappers NOTE: 20211129: around which the code changed. will upload in the next 2 days. (utkarsh) NOTE: 20220110: waiting on upstream to get feedback. (utkarsh) -- libraw (Abhijith PA) NOTE: 20211227: 7 CVEs that were fixed for jessie in DLA-1734-1 are unfixed NOTE: 20211227: in stretch, plenty other unfixed CVEs (bunk) -- lighttpd (Anton) NOTE: 20220111: a DSA is planned (Beuc) NOTE: 20220113: version in stretch is not affected by CVE-2022-22707 (Anton) -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- nvidia-graphics-drivers (Markus Koschany) NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm NOTE: 20211108: now fixes all 5 CVEs (bunk) NOTE: 20211229: https://people.debian.org/~apo/lts/nvidia-graphics-drivers/ -- pgbouncer (Christoph Berg) NOTE: 20220104: maintainer might want to upload fixed version -- pillow (Emilio) -- pjproject NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) -- prosody NOTE: 20220114: upcoming DSA (Beuc) -- python2.7 (Anton) NOTE: 20220112: 3 postponed CVEs (Beuc) -- qt4-x11 (Utkarsh) NOTE: 20220112: 2 SVG CVEs (CVE-2021-45930,CVE-2021-34812) to fix in both qtsvg-opensource-src and qt4-x11 (Beuc) -- qtsvg-opensource-src (Utkarsh) NOTE: 20220112: 2 SVG CVEs (CVE-2021-45930,CVE-2021-34812) to fix in both qtsvg-opensource-src and qt4-x11 (Beuc) -- samba (Utkarsh Gupta) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ NOTE: 20211212: Fix is too large, coordination with ELTS-upload NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) -- slurm-llnl (Sylvain Beucler) NOTE: 20211229: CVE-2019-12838 is marked "Too intrusive to backport" but was NOTE: 20211229: backported to jessie in DLA-2143-1. NOTE: 20211229: If CVE-2019-12838 gets fixed, then the 4 other "no DSA" CVEs NOTE: 20211229: should also be checked. (bunk) NOTE: 20220107: backporting patches (Beuc) NOTE: 20220114: wait for Thorsten's precisions wrt. CVE-2021-31215 triage -- sphinxsearch (Thorsten Alteholz) NOTE: 20220103: waiting for Buster upload -- thunderbird (Emilio) NOTE: 20220104: ftbfs on armhf (pochu) -- uriparser -- vim (Emilio) -- wordpress (Utkarsh) NOTE: 20220108: Issues may not warrant a DLA. See comment for commit 3ae7f35d1 re. previous release. (lamby) -- zabbix --