An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ansible NOTE: 20200219: no upstream fixes yet -- bluez (Emilio) NOTE: 20200330: wip -- ceph (Chris Lamb) NOTE: 20200408: Upstream patch does not cleanly apply; no std::any_of and NOTE: 20200408: lack of parsing of request state means no handy NOTE: 20200408: "is_anonymous" method. (lamby) -- graphicsmagick (Roberto C. Sánchez) -- inetutils (Roberto C. Sánchez) NOTE: 20200408: Check cfe888f14 in this repo, as well as #953477 and 9d28e4c3. (lamby) -- jackson-databind (Utkarsh Gupta) -- libconvert-asn1-perl (Utkarsh Gupta) -- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. NOTE: 20190428: most patches can be applied after context adaption NOTE: 20190428: all CVEs are from one fuzzing attempt NOTE: 20190428: some CVE testcases pass on the unpatched version, NOTE: 20190428: but since the fixes can be made applied the code NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them NOTE: 20200406: work is ongoing -- libperlspeak-perl (Mike Gabriel) NOTE: 20200326: No patches yet. NOTE: 20200330: Requested EOL/jessie (sunweaver, h01ger). -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- mumble (Abhijith PA) NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) -- netty NOTE: 20200408: Upstream patch looks fairly invasive and maybe incomplete NOTE: 20200408: ("This should probably be reopened.") (lamby) -- opendmarc (Thorsten Alteholz) NOTE: 20200406: still testing package, original patch does not seem to be enough, still ongoing -- otrs2 (Abhijith PA) -- php5 (Thorsten Alteholz) -- ruby-rack NOTE: 20191219: The security update causes a regression and also, there's a NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102) NOTE: 20200216: Discussion ongoing on -lts list. (lamby) -- shiro (Chris Lamb) NOTE: 20200329: https://github.com/apache/shiro/pull/203 (lamby) NOTE: 20200329: See 53dc30bf6823c98 in this repo. (lamby) NOTE: 20200402: Prepared a package but difficult running tests. Have asked NOTE: 20200402: the Debian maintainer at https://bugs.debian.org/955018#12 -- squid3 (Markus Koschany) NOTE: 20200330: There is still an issue with CVE-2019-12523 but the rest NOTE: 20200330: looks good now. (apo) -- thunderbird (Emilio) -- tomcat8 (Markus Koschany) NOTE: 20200330: I am reviewing a patch for Abhijith currently. -- wireshark (Thorsten Alteholz) -- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200316: still no activity on upstream's bug tracker (beuc) -- xen (Roberto C. Sánchez) NOTE: 20200302: xen 4.4 EOL'd, needs public announcement (roberto) NOTE: 20200302: https://lists.debian.org/debian-lts/2020/03/msg00024.html NOTE: 20200322: awaiting feedback on mailing list thread --