An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- abcm2ps (Anton) -- ansible NOTE: 20210411: As discussed with the maintainer I will update Buster first and NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- asterisk (Abhijith PA) NOTE: 20220314: Looking on back log no-dsa (abhijith) -- cacti (Sylvain Beucler) NOTE: 20220321: checking postponed vulnerabilities -- condor -- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag NOTE: 20211207: Intend to release this week. -- gerbv (Anton) NOTE: WIP https://salsa.debian.org/lts-team/packages/gerbv (Anton) -- golang-go.crypto -- gpac NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) NOTE: 20220305: There are many dozens of open CVEs, it will take a while yet (roberto) -- icingaweb2 -- intel-microcode NOTE: 20220213: please recheck -- jackson-databind NOTE: 20220320: wait for complete upstream fix (apo) -- kicad -- libarchive (Thorsten Alteholz) NOTE: 20220225: fix seems to be incomplete -- libdatetime-timezone-perl (Emilio) -- liblouis NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. -- libpgjava -- libxml2 (Anton) -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- mariadb-10.1 NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton) -- mbedtls (Utkarsh) -- minidlna (Thorsten Alteholz) -- nvidia-graphics-drivers NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential NOTE: 20220209: backport (apo) -- pjproject (Abhijith PA) NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) NOTE: 20220215: Asterisk and ring have embedded copy of pjproject (abhijith) NOTE: 20220302: uploading asterisk, ring and pjproject in one go (abhijith) NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/pjproject_2.5.5~dfsg-6+deb9u3.dsc -- qemu NOTE: 20220320: Vulnerable function appears to be vhost_vsock_send_transport_reset. NOTE: 20220320: Consider looking into postponed issues (apo) -- ring (Abhijith PA) NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc -- samba NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton) NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) NOTE: 20220125: ftbfs, wip. (utkarsh) -- smarty3 -- snapd NOTE: 20220308: seems vulnerable at least to setup_private_mount, NOTE: 20220308: but double check (pochu) -- tiff (Utkarsh) -- tzdata (Emilio) -- unzip NOTE: 20220319: no patches yet but reproducible (apo) -- usbguard -- waitress NOTE: 20220320: I am not sure if we should ignore CVE-2022-24761 as it is NOTE: 20220320: basically another HTTP parsing error and a workaround exists NOTE: 20220320: or if we should overhaul the package and fix everything NOTE: 20220320: instead. Someone with more Python knowledge should take another look NOTE: 20220320: at it. (apo) -- wireshark -- zabbix --