A wheezy-lts security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) NOTE: 20170625, packages ready for upload, request for testing sent to list -- bind9 (Thorsten Alteholz) -- boa NOTE: only available in Wheezy and orphaned NOTE: Should probably be marked unsupported: https://lists.debian.org/debian-lts/2017/06/msg00145.html -- ca-certificates (Antoine Beaupré) NOTE: 2017-03-27: maintainer will handle the upload, see https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8839@pbandjelly.org NOTE: 2017-05-12: Pinged the maintainer -- Raphael Hertzog NOTE: 2017-06-27: gave a 3-day deadline to maintainer -- Antoine -- check-mk NOTE: the code is different in wheezy but from a cursory look, there NOTE: might be multiple places where error messages are not properly NOTE: HTML escaped. Without trying, it's hard to know if the error NOTE: messages do include user controllable content. -- eglibc NOTE: Patch available, however not yet applied upstream. -- graphite2 (Markus Koschany) -- icedove NOTE: I think Guido will do the upload -- irssi NOTE: Maintainer plan to do the update. The issue is not urgent according to NOTE: the maintainer. -- jasper (Thorsten Alteholz) NOTE: 20170629, no patch available for the remaining CVEs yet, pinged upstream -- jbig2dec (Thorsten Alteholz) NOTE: 20170629, no patch available yet NOTE: other no-dsa CVE issue open that might be worth fixing NOTE: jessie has the same version -- jetty (Markus Koschany) -- jetty8 (Markus Koschany) -- kdepim (Lucas Kanashiro) -- libav NOTE: Diego Biurrun (from the libav team) is working on patches. NOTE: undetermined issues are currently being triaged (Diego Biurrun and Hugo Lefeuvre NOTE: have access to the original reproducers) -- libdbd-mysql-perl NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet, sent email later -- libmtp NOTE: 20170702 sent email to maintainer -- libquicktime -- libraw (Emilio Pozuelo) NOTE: Maintainer contacted 2017-06-05. -- libreoffice (Emilio Pozuelo) NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html -- libtorrent-rasterbar (Thorsten Alteholz) NOTE: 20170702 sent email to maintainer -- libxml2 (Thorsten Alteholz) -- libxml-libxml-perl NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet, sent email later -- libytnef (Thorsten Alteholz) NOTE: 20170629, patches missing -- linux -- mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg00008.html -- ming (Emilio Pozuelo) NOTE: only available in Wheezy and probably orphaned -- mosquitto (Roger A. Leigh/Gianfranco Costamagna) -- mpg123 NOTE: 20170702 sent email to maintainer -- mupdf -- mysql-connector-python NOTE: No patch to apply. Upstream has released new upstream version 2.1.6 NOTE: with claimed fixes. Diff from prior version is 2198 lines long and NOTE: has 8 different bugs fixed. Only 2 reverse dependancies: NOTE: mysql-utilities and mysql-workbench. -- nasm NOTE: 20170702 sent email to maintainer -- openexr -- poppler -- postgresql-9.1 (Christoph Berg) NOTE: maintainer will give it a try tomorrow (2017-05-28) -- pspp NOTE: 20170702 sent email to maintainer -- puppet (Antoine Beaupre) NOTE: 2017-06-01: Seems to be at puppet/indirector/catalog/compiler.rb (line 25), NOTE: 2017-06-01: however I don't know whether pson is the only supported format NOTE: 2017-06-01: in this older version of puppet. -- lamby@d.o -- qemu (Guido Günther) -- qemu-kvm (Guido Günther) NOTE: Investigating CVE-2017-2633 NOTE: Patches for minor issues at https://anonscm.debian.org/cgit/users/agx/qemu-kvm.git/log/ -- rkhunter (Thorsten Alteholz) NOTE: 20170702 sent email to maintainer -- sudo (Antoine Beaupré) NOTE: this is about https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd NOTE: which might well be fixed once more issues piled up -- tiff (Roberto C. Sánchez) -- tiff3 (Roberto C. Sánchez) -- wireshark NOTE: maintainer *may* take care of this, as previously -- wordpress -- xbmc NOTE: Reproduced: https://lists.debian.org/debian-lts/2017/04/msg00025.html NOTE: no upstream fix, may require refactoring -- xen -- yaml-cpp NOTE: fix sent upstream, waiting for review -- zoneminder NOTE: Sql injection and session fixation vulerability fixes: NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1764/files NOTE: No CVE assigned. --