An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- ansible NOTE: 20210411: As discussed with the maintainer I will update Buster first and NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- exiv2 (Utkarsh Gupta) NOTE: 20210801: check further; some no-dsa issues have piled up, too. (utkarsh) NOTE: 20210816: wip, new CVEs added, too. comparing w/ buster. (utkarsh) -- firmware-nonfree (Anton Gladky) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210815: Planed to be finished on CW 34/2021 NOTE: 20210822: Work is delayed due to urgent regression fix in another package -- gpac (Thorsten Alteholz) NOTE: 20210815: WIP, almost done, still testing package -- grilo (Thorsten Alteholz) NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 2.38 -- krb5 (Adrian Bunk) -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- mosquitto NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp) NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp) -- mupdf (codehelp) NOTE: 20210817: fix for CVE-2020-19609 and CVE-2021-37220 in buster are to be put into a point release. -- nettle NOTE: 20210719: difficult backport, wip (Emilio) -- nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 -- openssl (Thorsten Alteholz) -- pjproject (Abhijith PA) NOTE: 20210804: Check notes on CVE (especially re. src:ring). (lamby) NOTE: 20210821: Fix backported (abhijith) -- python-babel NOTE: 20210617: CVE-2021-20095 withdrawn, cf. 251b6e33 and #987824 (abhijith) NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith) NOTE: 20210620: Revisit when it has an assigned CVE ID (abhijith) -- qemu (Markus Koschany) -- ruby-kaminari NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the NOTE: 20200819: file has been refactored a few times). (lamby) NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh) NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh) NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) NOTE: 20210719: https://people.debian.org/~apo/lts/ruby-kaminari/CVE-2020-11082.patch NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari. NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly. -- ruby2.3 (Utkarsh Gupta) NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh) NOTE: 20210816: wip, backporting patches; a bit hard. (utkarsh) -- rustc (Anton Gladky) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk) -- salt NOTE: 20210329: WIP (utkarsh) NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh) NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh) NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh) NOTE: 20210816: will test the provided debdiff; needs testing as regression spotted. (utkarsh) --