An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ansible NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666 NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable. NOTE: 20200506: (lamby) NOTE: 20200508: bam: Problem exists with new files only. Existing files NOTE: 20200508: bam: code resets permissions to same value, should be fine. NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970 NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- cacti (Abhijith PA) NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith) NOTE: 20200620: WIP (abhijith) NOTE: 20200629: Working on the patch (abhijith) NOTE: 20200701: Patch for CVE-2020-7237 should also be included for Stretch LTS. (utkarsh) -- ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal (lamby) -- cimg NOTE: 20200709: Upstream patch is against a newer "load_network_external" NOTE: 20200709: method (vs "load_network") but is still missing the argument NOTE: 20200709: sanitisation. (lamby) -- condor (Roberto C. Sánchez) NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh) NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto) NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) -- curl (Thorsten Alteholz) -- ffmpeg (Adrian Bunk) NOTE: 20200707: Vulnerable to at least CVE-2020-13904. (lamby) NOTE: 20200707: According to jmm, ffmpeg in stretch follows the 3.2.x releases NOTE: 20200707: (same as for buster, which he is rebasing to 4.1.6 in the NOTE: 20200707: next few days) [stretch] should continue to do for LTS as NOTE: 20200707: long as 3.2 releases are made, only a minor subset of NOTE: 20200707: ffmpeg bugs get a CVE assigned. There was a 3.2.15 release a NOTE: 20200707: few days ago, which should fix this and many others. (lamby) -- firefox-esr (Emilio) -- freerdp NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) -- golang-github-seccomp-libseccomp-golang (Adrian Bunk) -- gupnp -- imagemagick (Markus Koschany) NOTE: 20200713: Ongoing work -- jruby NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- json-c NOTE: 20200709: Not all of the patches as part of CVE-2020-12762 do not apply NOTE: 20200709: directly/cleanly to the version in stretch, but I suspect we NOTE: 20200709: are still vulnerable. (lamby) -- jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- ksh -- libjpeg-turbo (Adrian Bunk) -- libopenmpt (Utkarsh Gupta) -- libpam-radius-auth (Utkarsh Gupta) -- librsvg (Emilio) -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- mercurial (Roberto C. Sánchez) NOTE: 20200706: all open CVEs were fixed in jessie (Beuc) -- milkytracker (Adrian Bunk) NOTE: 20200708: (At least) CVE-2020-15569. (lamby) -- mumble NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith) -- mupdf NOTE: 20200708: Vulnerable to at least CVE-2019-13290. (lamby) -- nginx (Sylvain Beucler) NOTE: 20200713: update is ready, will publish after point release unless it's delayed too much (Beuc) NOTE: 20200713: https://www.beuc.net/tmp/debian-lts/nginx/ NOTE: 20200713: this deb9u5 includes/supersedes stretch-pu deb9u4 -- nss (Adrian Bunk) NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc) -- opendmarc (Thorsten Alteholz) NOTE: 20200621: testing package (thorsten) -- pillow NOTE: 20200711: Appears vulnerable to at least CVE-2020-10177, but not CVE-2020-10378. (lamby) -- poppler (Emilio) -- puma NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby) -- python3.5 (Sylvain Beucler) NOTE: 20200709: update is ready, only (lotsa) non-critical CVEs so uploading after point release unless it's delayed too much (Beuc) NOTE: 20200709: https://www.beuc.net/tmp/debian-lts/python3.5/ -- qemu NOTE: might be fixed by -pu. Visit later (utkarsh) -- rails (Sylvain Beucler) NOTE: 20200706: coordinating/reviewing stretch update with security/ruby/upstream teams (Beuc) NOTE: 20200706: https://lists.debian.org/debian-lts/2020/07/msg00065.html NOTE: 20200709: https://www.beuc.net/tmp/debian-lts/rails/ NOTE: 20200709: this deb9u3 includes/supersedes stretch-pu deb9u2 NOTE: 20200713: secteam was planning to work on buster side past week-end -- ruby-zip NOTE: 20200710: Vulnerable to at least CVE-2018-1000544. (lamby) NOTE: 20200710: Was fixed in jessie LTS via DLA-1467-1. (lamby) -- salt NOTE: 20200710: Vulnerable to at least CVE-2018-15751, which was NOTE: 20200710: not an issue in jessie LTS. (lamby) -- samba (Roberto C. Sánchez) NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh) -- sqlite3 NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby) -- squid3 (Markus Koschany) -- sympa NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh) NOTE: 20200525: But that is weird, given their announcement. (utkarsh) NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh) NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh) NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh) NOTE: 20200604: the upload is ready but has been put on hold for a while. (utkarsh) NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh) NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh) -- transmission (Utkarsh Gupta) -- wordpress NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby) NOTE: 20200710: During triage noticed that CVE-2020-4046 was marked as fixed NOTE: 20200710: in 4.1.31+dfsg-0+deb8u1 in jessie LTS, yet does not seem that NOTE: 20200710: it was vulnerable to begin with. (lamby) -- wpa (Abhijith PA) NOTE: 20200709: #949367 is a stretch-pu update for CVE-2019-16275 (bunk) -- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby) NOTE: 20200517: work is ongoing. (gladk) NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk) NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk) --