summaryrefslogtreecommitdiffstats
path: root/data/dla-needed.txt
blob: 6cbf8d949002b8e0a6eb184cfe98895174494cd4 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
amd64-microcode
  NOTE: 20210831: no binary package was built, possibly due to non-free-specific rules
  NOTE: 20210831: https://lists.debian.org/debian-lts/2021/08/msg00033.html
  NOTE: 20210831: needs to be fixed (Beuc)
--
ansible (Lee Garrett)
  NOTE: 20210411: As discussed with the maintainer I will update Buster first and
  NOTE: 20210411: after that LTS. (apo)
  NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
cacti (Roberto C. Sánchez)
  NOTE: 20210829: not really sure whether affected, please recheck
  NOTE: 20210914: still assessing whether or not affected (roberto)
--
debian-archive-keyring (Utkarsh)
  NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
--
firmware-nonfree
  NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
  NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
--
gnutls28 (Sylvain Beucler)
  NOTE: 20210910: https://lists.debian.org/debian-lts/2021/09/msg00008.html
--
grilo (Thorsten Alteholz)
  NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 2.38
  NOTE: 20210912: maintainer ok, testing package
--
krb5 (Adrian Bunk)
  NOTE: 20210905: testing fixes
--
libxstream-java (Anton Gladky)
  NOTE: 20210901: See thread at https://www.mail-archive.com/debian-lts@lists.debian.org/msg09588.html
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mosquitto
  NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp)
  NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp)
--
mupdf (Anton Gladky)
  NOTE: 20210817: fix for CVE-2020-19609 and CVE-2021-37220 in buster are to be put into a point release.
--
nettle (Markus Koschany)
  NOTE: 20210719: difficult backport, wip (Emilio)
  NOTE: 20210913: CVE-2021-20305 has been fixed, the fix for CVE-2021-3580 is
  NOTE: almost complete.
--
ntfs-3g (Abhijith PA)
--
nvidia-graphics-drivers
  NOTE: package is in non-free but also in packages-to-support
  NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
--
openssl (Thorsten Alteholz)
  NOTE: 20210912: testing package, upload probably after LE fix
--
openssl1.0 (Thorsten Alteholz)
  NOTE: 20210912: testing package, upload probably after LE fix
--
plib
  NOTE: 20210829: no fix yet. (thorsten)
  NOTE: 20210829: upstream bug mentions that it might never get fixed. (utkarsh)
--
python-babel
  NOTE: 20210617: CVE-2021-20095 withdrawn, cf. 251b6e33 and #987824 (abhijith)
  NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
  NOTE: 20210620: Revisit when it has an assigned CVE ID (abhijith)
--
qtbase-opensource-src (Utkarsh)
  NOTE: 20210914: needs further checking for vulnerability. (utkarsh)
--
ruby-kaminari
  NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
  NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
  NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
  NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
  NOTE: 20200819: file has been refactored a few times). (lamby)
  NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
  NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
  NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
  NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
  NOTE: 20210719: https://people.debian.org/~apo/lts/ruby-kaminari/CVE-2020-11082.patch
  NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari.
  NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly.
--
ruby2.3 (Utkarsh)
  NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh)
  NOTE: 20210816: wip, backporting patches; a bit hard. (utkarsh)
--
rustc
  NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable
  NOTE: https://bugs.debian.org/928422
  NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk)
--
salt
  NOTE: 20210329: WIP (utkarsh)
  NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh)
  NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh)
  NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh)
  NOTE: 20210816: will test the provided debdiff; needs testing as regression spotted. (utkarsh)
--
smarty3 (Abhijith PA)
  NOTE: 20210829: Track regression (abhijith)
  NOTE: 20210906: prepared a build for testing. Waiting for bug submitter's reply (abhijith)
--
tiff (Utkarsh)
--

© 2014-2021 Faster IT GmbH | imprint | privacy policy