A DSA is needed for the following source packages in old/stable. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. Some packages are not tracked here: - Linux kernel (tracking in kernel-sec repo) - Embargoed issues continue to be tracked in separate file. To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- curl (ghedo) -- fwupd -- libopenmpt -- knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- linux (carnil) Wait until more issues have piled up -- poppler (jmm) -- rails Sylvain Beucler proposed to help for the update, pending upstream feedback for CVE-2020-8163 -- squid (jmm) -- teeworlds (jmm) -- xcftools Hugo proposed to work on this update -- xen --