path: root/data/dla-needed.txt

An LTS security update is needed for the following source packages.

To add a new entry, please coordinate with this week's Front-Desk
person, and use the 'package-operations' LTS tool.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

When checking what packages to work on, use:
$ ./find-work
from the LTS admin repository, to sort packages by priority and
display important notes about the package (special attention, VCS,
testing procedures, programming language, etc.).

To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://lts-team.pages.debian.net/wiki/Development.html#triage-new-security-issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
ansible (debian)
  NOTE: 20231202: Added by Front-Desk (Beuc)
  NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021
  NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to
  NOTE: 20231202: assess/fix the situation.
  NOTE: 20231217: Begin to triage CVEs (rouca)
  NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca)
  NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
--
apache2
  NOTE: 20240418: Added by Front-Desk (apo)
--
atril
  NOTE: 20240121: Added by Front-Desk (apo)
  NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead.
  NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/
  NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh)
--
bind9
  NOTE: 20240218: Added by Front-Desk (lamby)
  NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby)
  NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and package builds fine.
  NOTE: 20240418: https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96
  NOTE: 20240418: All testing activities remains.
--
dnsmasq (dleidert)
  NOTE: 20240303: Added by Front-Desk (apo)
  NOTE: 20240325: Automatically unassigned (lamby)
  NOTE: 20240327: Claimed by lamby, started thread on deblts-team. (lamby)
  NOTE: 20240403: Re-assigned back to dleidert; see thread. (lamby)
--
docker.io
  NOTE: 20230303: Added by Front-Desk (Beuc)
  NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
  NOTE: 20230424: Is in preparation. (gladk)
  NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html
  NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version)
  NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case
  NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk)
  NOTE: 20230311: Reverted decision to remove from this file since three CVEs are in bullseye. (ola)
  NOTE: 20240407: Version 18.09.1+dfsg1-7.1+deb10u4 in Git has not been uploaded yet. (dleidert)
--
dogecoin
  NOTE: 20230619: Added by Front-Desk (Beuc)
  NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream,
  NOTE: 20230619: I suggest pinging/coordinating with upstream to know the current status;
  NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
  NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
--
edk2
  NOTE: 20231230: Added by Front-Desk (lamby)
  NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby)
  NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk)
--
emacs (Sean Whitton)
  NOTE: 20240403: Added by Front-Desk (lamby)
  NOTE: 20240403: Needs someone with a little familiarity with Lisp — by my
  NOTE: 20240403: eye, the version of emacs in LTS may not be vulnerable to,
  NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable
  NOTE: 20240403: to CVE-2024-30203. (lamby)
--
freeimage
  NOTE: 20240320: Added by Front-Desk (ta)
  NOTE: 20240320: lots of postponed issue could be fixed as well
  NOTE: 20240325: Lack of upstream activity,
  NOTE: 20240325: postponed issues are "Revisit when fixed upstream (bunk)
  NOTE: 20240410: See discussion at: https://lists.debian.org/debian-lts/2024/04/threads.html#00012
  NOTE: 20240411: Added some postpone tags for DoS class and removed some where
  NOTE: 20240411: patch is available and has arbitrary code exec class. (ola)
  NOTE: 20240412: ELTS also have a need to update this package.
  NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola)
--
frr (tobi)
  NOTE: 20231119: Added by Front-Desk (apo)
  NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
  NOTE: 20240301: continue work (abhijith)
--
glibc (Adrian Bunk)
  NOTE: 20240419: Added by coordinator (santiago)
--
h2o
  NOTE: 20231228: Added by Front-Desk (lamby)
--
i2p
  NOTE: 20230809: Added by Front-Desk (Beuc)
  NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28
--
jenkins-htmlunit-core-js
  NOTE: 20231231: Added by Front-Desk (lamby)
  NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance
  NOTE: 20231231: … suggests that the embedded copy of htmlunit is very old and may
  NOTE: 20231231: … not even support XLST processing. However, it does use the
  NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may
  NOTE: 20231231: … indeed be vulnerable. (lamby)
--
knot-resolver (Markus Koschany)
  NOTE: 20231029: Added by Front-Desk (gladk)
  NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk)
  NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola)
--
less (Abhijith PA)
  NOTE: 20240418: Added by Front-Desk (apo)
--
libpgjava (Markus Koschany)
  NOTE: 20240308: Added by Front-Desk (opal)
--
libreswan
  NOTE: 20230817: Added by Front-Desk (ta)
  NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
  NOTE: 20230909: https://salsa.debian.org/lts-team/packages/libreswan.git on the experimental
  NOTE: 20230909: branch. Upstream patch for CVE-2023-38710 does not apply at
  NOTE: 20230909: all due to code refactoring. I intend to package the version
  NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo)
--
libssh
  NOTE: 20231219: Added by Front-Desk (ta)
  NOTE: 20240225: Patches backported, tests pass.  Backports needs review.
  NOTE: 20240225: Re CVE-2023-48795: untested that Terrapin is actually
  NOTE: 20240225: mitigated.  Upstream have provided some input on doing that:
  NOTE: 20240225: <https://archive.libssh.org/libssh/2024-01/0000000.html>
  NOTE: 20240225: (spwhitton).
  NOTE: 20240227: Re CVE-2023-6918: commit 3eb99562 is simply to fix
  NOTE: 20240227: the build.  It is currently unknown whether it is safe.
  NOTE: 20240227: Upstream have provided some feedback on the issue:
  NOTE: 20240227: <https://archive.libssh.org/libssh/2024-02/0000009.html>
  NOTE: 20240227: (spwhitton).
--
libstb
  NOTE: 20231029: Added by Front-Desk (gladk)
  NOTE: 20231029: A lot of open CVEs. Maybe duplicates.
  NOTE: 20231029: If you take a package, please evaluate it as well as its importance.
  NOTE: 20231119: None of the new CVE fixes has been reviewed by upstream so far,
  NOTE: 20231119: and in the past CVE fixes have caused regressions.
  NOTE: 20231119: Wait for upstream merge of fixes (and fixing in unstable). (bunk)
  NOTE: 20230314: Reverted decision to remove from this file since
  NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in bullseye
  NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated. (roberto)
--
linux (Ben Hutchings)
  NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
--
linux-5.10
  NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
--
mediawiki (guilhem)
  NOTE: 20240406: Added by Front-Desk (lamby)
  NOTE: 20240406: Added to address "TEMP-0000000-519C2D" at the time of writing. (lamby)
--
netty
  NOTE: 20240419: Added by Front-Desk (apo)
--
nodejs (guilhem)
  NOTE: 20240406: Added by Front-Desk (lamby)
--
nova
  NOTE: 20230302: Re-add, request by maintainer (Beuc)
  NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
  NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
  NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
  NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default).
  NOTE: 20230302:  Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo)
  NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected.
  NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely.
  NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
  NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby)
--
nss
  NOTE: 20240121: Added by Front-Desk (apo)
  NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90.x (their LTS version) available and backport from there.
  NOTE: 20240310: see also: Message-ID: <Zd5GYmuVVIDU54Vv@isildor2.loewenhoehle.ip>
  NOTE: 20240310: (2024-02-27 [deblts-team@freexian.com] Re: Current status: nss for buster) (tobi)
--
nvidia-cuda-toolkit
  NOTE: 20230514: Added by Front-Desk (utkarsh)
  NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
  NOTE: 20230514: piled up. (utkarsh)
  NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
  NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
  NOTE: 20240311: CVE-2020-5991 is fixed in bullseye. However email sent to suggest removal of support. (ola)
--
nvidia-graphics-drivers
  NOTE: 20240303: Added by Front-Desk (apo)
  NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release?
  NOTE: 20240303: Maybe it's time to mark them EOL? (apo/front-desk)
--
nvidia-graphics-drivers-legacy-390xx
  NOTE: 20240303: Added by Front-Desk (apo)
  NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk)
--
openjdk-11 (Emilio)
  NOTE: 20240418: Added by pochu
--
org-mode (Sean Whitton)
  NOTE: 20240405: Added by Front-Desk (lamby)
--
pdns-recursor
  NOTE: 20240306: Added by Front-Desk (opal)
  NOTE: 20240319: Upload postponed due to #1067124 (dleidert)
--
putty (rouca)
  NOTE: 20231224: Added by Front-Desk (ta)
  NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca)
  NOTE: 20240324: Backport is straighforward (rouca)
  NOTE: 20240324: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/104
  NOTE: 20240412: Wait for comments by maintainer
--
python-asyncssh
  NOTE: 20240116: Added by Front-Desk (lamby)
  NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert)
--
rails
  NOTE: 20220909: Re-added due to regression (abhijith)
  NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
  NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
  NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
  NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
  NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
  NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
  NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
  NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
  NOTE: 20221024: to break thrice in less than 2 month.
  NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
  NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
--
ring
  NOTE: 20230903: Added by Front-Desk (gladk)
  NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
--
ruby-rack (Adrian Bunk)
  NOTE: 20240306: Added by Front-Desk (opal)
  NOTE: 20240408: waiting for feedback from Debian maintainer (bunk)
--
runc
  NOTE: 20240312: Added by coordinator (roberto)
  NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye.
  NOTE: 20240314: Uploads to ospu should be coordinated. (roberto)
--
samba (Santiago)
  NOTE: 20230918: Added by Front-Desk (apo)
  NOTE: 20240406: Update should be ready. Will upload this Monday. (Santiago)
--
sendmail (rouca)
  NOTE: 20231224: Added by Front-Desk (ta)
  NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765)
  NOTE: 20240217: Patch extracted and being reviewed (rouca)
  NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk)
  NOTE: 20240311: Re-added to dla-needed.txt; while secteam tagged it no-dsa in later dists,
  NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists,
  NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk)
  NOTE: 20240324: some issue coordinate with myself and security team (rouca)
--
shim (rouca)
  NOTE: 20240306: Added by Front-Desk (opal)
  NOTE: 20240415: https://salsa.debian.org/efi-team/shim/-/merge_requests/13
--
squid
  NOTE: 20240109: Added by Front-Desk (apo)
  NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix
  NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo)
--
suricata (Adrian Bunk)
  NOTE: 20230620: Added by Front-Desk (Beuc)
  NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie,
  NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored),
  NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk)
  NOTE: 20230714: Still reviewing+testing CVEs. (bunk)
  NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
  NOTE: 20231016: Still reviewing+testing CVEs. (bunk)
  NOTE: 20231120: DLA coming soon. (bunk)
--
tiff (Thorsten Alteholz)
  NOTE: 20240314: Added by coordinator (roberto)
  NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and
  NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto)
--
tinymce
  NOTE: 20231123: Added by Front-Desk (ola)
  NOTE: 20231216: Someone with more XSS experience needed to assess the
  NOTE: 20231216: severity of CVE-2023-48219.  Also not clear to me that
  NOTE: 20231216: upstream's patch is backportable, as the code has changed a
  NOTE: 20231216: lot.  (spwhitton)
--
varnish
  NOTE: 20231117: Added by Front-Desk (apo)
  NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004
  NOTE: 20231219: Continuing work
  NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith)
  NOTE: 20240122: Still fixing tests (abhijith)
  NOTE: 20240213: Fixing tests.(abhijith)
--
wordpress (Markus Koschany)
  NOTE: 20240314: Added by coordinator (roberto)
  NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and
  NOTE: 20240314: bookwork. Uploads to spu and ospu should be coordinated. (roberto)
--
zabbix (Adrian Bunk)
  NOTE: 20240212: Added by Front-Desk (utkarsh)
--
zookeeper
  NOTE: 20240324: Added by Front-Desk (ta)
--