An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

--
ansible
  NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
  NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
  NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
  NOTE: 20200506: (lamby)
  NOTE: 20200508: bam: Problem exists with new files only. Existing files
  NOTE: 20200508: bam: code resets permissions to same value, should be fine.
  NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
  NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
  NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
--
ark (Abhijith PA)
  NOTE: 20200731: given PoC not working as intended. (abhijith)
  NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith) 
--
cacti
  NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith)
  NOTE: 20200620: WIP (abhijith)
  NOTE: 20200629: Working on the patch (abhijith)
  NOTE: 20200701: Patch for CVE-2020-7237 should also be included for Stretch LTS. (utkarsh)
  NOTE: 20200726: partial fix https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch (abhijith)
--
ceph
  NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
  NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
--
cimg
  NOTE: 20200709: Upstream patch is against a newer "load_network_external"
  NOTE: 20200709: method (vs "load_network") but is still missing the argument
  NOTE: 20200709: sanitisation. (lamby)
--
clamav (Emilio)
  NOTE: 20200728: update ready, waiting for buster point release (pochu)
--
condor (Roberto C. Sánchez)
  NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
  NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
  NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
  NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
  NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
  NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
  NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
--
evolution-data-server (Adrian Bunk)
--
firefox-esr (Emilio)
  NOTE: 20200720: working on ESR 78 backport. (Emilio)
--
freerdp
  NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
  NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver)
--
golang-github-seccomp-libseccomp-golang (Adrian Bunk)
  NOTE: 20200727: work is ongoing (bunk)
--
gupnp
--
imagemagick (Markus Koschany)
  NOTE: 20200713: Ongoing work
--
jruby (Adrian Bunk)
  NOTE: 20200706: all open CVEs were fixed in jessie (Beuc)
--
jupyter-notebook
  NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby)
--
libx11 (Emilio)
  NOTE: 20200802: Please check whether #966691 is/was related to the CVE fix. (bunk)
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
mumble
  NOTE: 20200325: Regression in last upload, forgot to follow up.
  NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
  NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
  NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
  NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith)
--
net-snmp
  NOTE: 20200801: Regression related to DLA 2299-1 (abhijith)
  NOTE: 20200801: https://lists.debian.org/debian-lts/2020/08/msg00000.html (abhijith)
--
nss (Adrian Bunk)
  NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc)
  NOTE: 20200727: work is ongoing (bunk)
--
opendmarc
  NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
--
openjdk-8 (Emilio)
--
pillow (Utkarsh Gupta)
  NOTE: 20200711: Appears vulnerable to at least CVE-2020-10177, but not CVE-2020-10378. (lamby)
--
puma
  NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby)
--
python2.7 (Thorsten Alteholz)
--
qemu
--
ruby-kramdown (Abhijith PA)
--
samba
  NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh)
  NOTE: 20200801: Stretch update already released, so no conflict. (roberto)
  NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, and CVE-2020-10740, are ready. (roberto)
  NOTE: 20200801: Best to wait for additional CVEs before uploading; check with Roberto for patches. (roberto)
--
sane-backends
  NOTE: 20200731: Most issues either fixed or <not-affected> in jessie. (abhijith)
--
slirp
  NOTE: 20200724: Version in stretch also requires backport of patch from CVE-2020-7039 (lamby)
--
sqlite3
  NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby)
--
squid3 (Markus Koschany)
  NOTE: 20200730: I am investigating a possible regression (#965012)
--
sympa
  NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh)
  NOTE: 20200525: But that is weird, given their announcement. (utkarsh)
  NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh)
  NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to
  NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh)
  NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh)
  NOTE: 20200604: the upload is ready but has been put on hold for a while. (utkarsh)
  NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
  NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh)
--
thunderbird (Emilio)
--
wordpress
  NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby)
  NOTE: 20200710: During triage noticed that CVE-2020-4046 was marked as fixed
  NOTE: 20200710: in 4.1.31+dfsg-0+deb8u1 in jessie LTS, yet does not seem that
  NOTE: 20200710: it was vulnerable to begin with. (lamby)
--
xcftools
  NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
  NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
  NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
  NOTE: 20200517: work is ongoing. (gladk)
  NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
  NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
--
xrdp (Abhijith PA)
--
zabbix (Chris Lamb)
--