summaryrefslogtreecommitdiffstats
path: root/data/dla-needed.txt
blob: bad592a9941ecfab64e7612486fd32f3e64aa9b9 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
ansible (Markus Koschany)
  NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
  NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
  NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
  NOTE: 20200506: (lamby)
  NOTE: 20200508: bam: Problem exists with new files only. Existing files
  NOTE: 20200508: bam: code resets permissions to same value, should be fine.
  NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
  NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
  NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
  NOTE: 20201130: apo: I believe a partial update makes sense at the moment.
  NOTE: 20201130: Not everything is clear and obvious thus fixing some CVE is
  NOTE: 20201130: better than continue to ignore all of them.
--
ceph
  NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
  NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
  NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
  NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
  NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
--
condor
  NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
  NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
  NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
  NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
  NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
  NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
  NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
--
f2fs-tools
  NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to
  NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver)
--
firmware-nonfree (Emilio)
--
golang-github-dgrijalva-jwt-go (Brian May)
--
golang-golang-x-net-dev
--
influxdb
--
intel-microcode
  NOTE: 20201117: hold off the update until it's settled in unstable, at least.
  NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! (utkarsh)
  NOTE: 20201122: the patch is ready but after discussing with the security team, hold on
  NOTE: 20201122: this update for 2 weeks to first let it land in buster. (utkarsh)
  NOTE: 20201122: Utkarsh will upload once its confirmed that there is no regression
  NOTE: 20201122: and is actively tracking it. (utkarsh)
--
lemonldap-ng (Utkarsh)
  NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby)
  NOTE: 20201122: still waiting to hear from upstream. (utkarsh)
--
libhibernate3-java
  NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby)
--
libsixel
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mariadb-10.1 (Adrian Bunk)
--
mumble
  NOTE: 20200325: Regression in last upload, forgot to follow up.
  NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
  NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
  NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
  NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith)
--
open-build-service
  NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them.
  NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh)
  NOTE: 20201122: regression noticed; let the fix be exposed in sid for a week or two. (utkarsh)
--
opendmarc
  NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
--
openldap (Utkarsh)
  NOTE: 20201111: re-add openldap. two new slapd issues, CVEs are yet to be assigned. (utkarsh)
  NOTE: 20201130: couldn't complete the update, will process the upload after getting an ack from maintainer (if needed). (utkarsh)
--
pacemaker (Markus Koschany)
  NOTE: 20201117: See #974563 for further information.
  NOTE: 20201130: I will ask the other bug reporters for feedback and testing
  NOTE: 20201130: in #974563. The update itself looks good to me.
--
php-horde-trean
  NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver)
  NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver)
--
pluxml
  NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith)
--
reel
  NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh)
--
ruby-actionpack-page-caching
  NOTE: 20200819: Upstream's patch on does not apply due to subsequent
  NOTE: 20200819: refactoring. However, a quick look at the private
  NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
  NOTE: 20200819: uses the path without normalising any "../" etc., simply
  NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
--
ruby-doorkeeper
  NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh)
  NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh)
  NOTE: 20200831: more investigation needed. (utkarsh)
  NOTE: 20201009: on another note, it needs more investigation if this version is affected in
  NOTE: 20201009: the first place or not. (utkarsh)
--
ruby-kaminari
  NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
  NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
  NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
  NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
  NOTE: 20200819: file has been refactored a few times). (lamby)
  NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
  NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
  NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
  NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
--
ruby-oauth
--
salt (Abhijith PA)
--
shiro
  NOTE: 20200920: WIP
  NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
  NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
--
slirp (Thorsten Alteholz)
  NOTE: Upstream patch for CVE-2020-8608 requires patches for
  NOTE: CVE-2020-7039 to be applied patched first, as they both patch
  NOTE: the same lines of code in tcp_subr.c (bam).
--
snapd (Brian May)
  NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto.
  NOTE: Problems with upload.
--
spice-vdagent (Abhijith PA)
  NOTE: code base seems largely changed. Pinged upstream for help (abhijith)
--
spip
  NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith)
--
webcit (Markus Koschany)
  NOTE: 20201130: Requested more information from upstream. Currently patches
  NOTE: or workarounds are not available.
--
wireshark
  NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include
  NOTE: 20201007: those fixes as well! \o/ (utkarsh)
  NOTE: 20201108: 2.6.8-1.1 backported as first step
  NOTE: 20201108: will try to update wireshark in the next
  NOTE: 20201108: buster point release followed by another backport (bunk)
  NOTE: 20201123: NMU for unstable prepared as first step (bunk)
  NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk)
--
x11vnc (Thorsten Alteholz)
--
xcftools
  NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
  NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
  NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
  NOTE: 20200517: work is ongoing. (gladk)
  NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
  NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
--
xdg-utils (Emilio)
  NOTE: 20201122: wait for a while to get the fix exposed in other suites. (utkarsh)
--
xorg-server (Emilio)
--

© 2014-2020 Faster IT GmbH | imprint | privacy policy