An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

--
ansible
  NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
  NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
  NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
  NOTE: 20200506: (lamby)
  NOTE: 20200508: bam: Problem exists with new files only. Existing files
  NOTE: 20200508: bam: code resets permissions to same value, should be fine.
  NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
  NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
  NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
--
apache2
  NOTE: 20200501: The problem to solve is this: https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 (Ola)
  NOTE: 20200501: No CVE yet. (Ola)
  NOTE: 20200531: Asking upstream for CVE assignment. (utkarsh)
  NOTE: 20200604: wating to hear from CVE team for their decision. (utkarsh)
  NOTE: 20200604: otherwise the patch is ready for upload. (utkarsh)
--
cacti (Abhijith PA)
  NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith)
--
condor
  NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
  NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
  NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
  NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
--
drupal7
--
freerdp (Mike Gabriel)
  NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
  NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver)
--
glib-networking
--
imagemagick (Markus Koschany)
--
intel-microcode
--
jquery
  NOTE: 20200606: This was fixed upstream in a set of wider changes
  NOTE: 20200606: (a938d7b128) which cannot be applied. Even the specific part
  NOTE: 20200606: cannot be cherry picked as it calls out to jQuery.parseHTML
  NOTE: 20200606: which has a keepScripts argument. We could easily change the
  NOTE: 20200606: the rscript regex to also match the problematic whitespace, but
  NOTE: 20200606: this may not be complete as it does not do all the other checks
  NOTE: 20200606: and magic that parseHTML does (eg. hacking document.implementation)
  NOTE: 20200606: I do not know enough about this sanitisation and we don't want
  NOTE: 20200606: to be playing whack-a-mole here. (lamby)
--
libdatetime-timezone-perl
  NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto)
--
libexif (Utkarsh Gupta)
  NOTE: maintainer provided diff last time. It would be better if we ping them (abhijith)
--
libmatio (Adrian Bunk)
  NOTE: fairly high number of open issues. Not sure why we never had a look at them.
  NOTE: triage work needed, help security team for fixes if needed.
  NOTE: 20190428: most patches can be applied after context adaption
  NOTE: 20190428: all CVEs are from one fuzzing attempt
  NOTE: 20190428: some CVE testcases pass on the unpatched version,
  NOTE: 20190428: but since the fixes can be made applied the code
  NOTE: 20190428: is likely vulnerable
  NOTE: 20190428: some CVE testcases still fail after applying the fix,
  NOTE: 20190428: older changes seem to also be required for them
  NOTE: 20200518: work is ongoing (bunk)
--
libpgjava
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
mumble
  NOTE: 20200325: Regression in last upload, forgot to follow up.
  NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
  NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
  NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
--
nginx
  NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby)
--
nss (Adrian Bunk)
--
opendmarc (Thorsten Alteholz)
  NOTE: 20200511: new CVEs arrived (thorsten)
  NOTE: 20200524: testing package
--
perl (Abhijith PA)
--
php5 (Thorsten Alteholz)
  NOTE: 20200524: new CVE arrived (thorsten)
--
python-django (Chris Lamb)
  NOTE: 20200609: Regression in upstream's latest release (lamby)
  NOTE: 20200609: https://code.djangoproject.com/ticket/31654#comment:14 (lamby)
--
qemu (Adrian Bunk)
  NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk)
--
rails
--
sqlite3 (Abhijith PA)
--
squid3 (Markus Koschany)
  NOTE: 20200531: Ongoing work on squid3 in Stretch which will be used for Jessie
  NOTE: 20200531: and Stretch.
--
sympa
  NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh)
  NOTE: 20200525: But that is weird, given their announcement. (utkarsh)
  NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh)
  NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to
  NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh)
  NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh)
  NOTE: 20200604: the upload is ready but has been put on hold for a while. (utkarsh)
  NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
  NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh)
--
thunderbird (Roberto C. Sánchez)
--
tzdata
  NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto)
--
unbound
--
wpa
--
xawtv (Utkarsh Gupta)
--
xcftools (Anton Gladky)
  NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
  NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
  NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
  NOTE: 20200517: work is ongoing. (gladk)
  NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
  NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
--
xen
  NOTE: 20200414: debian-security-support has been updated with EOL status
  NOTE: 20200414: and will be uploaded concurrent with next stretch/buster point releases
  NOTE: 20200414: c.f., https://lists.debian.org/debian-lts/2020/04/msg00026.html (roberto)
--