summaryrefslogtreecommitdiffstats
path: root/data/dla-needed.txt
blob: cfc91eb4ad901783b8a3fa2d52a58da8eca5ef60 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

--
clamav (Hugo Lefeuvre)
  NOTE: 20200127: waiting for 0.102.1 to enter stretch/buster.
  NOTE: 0.102.* introduces a fair amount of ABI changes, and the migration
  NOTE: does not seem very smooth from the perspective of users. The release
  NOTE: team would like to wait for an init script for the new clamonacc
  NOTE: binary, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946557
--
hiredis (Chris Lamb)
  NOTE: 20200118: no upstream patches, yet, but should be easy to fix (sunweaver)
  NOTE: 20200119: submitted patch upstream (lamby) 
  NOTE: 20200123: various alternative approaches being discussed upstream (lamby)
  NOTE: 20200123: new PR opened upstream (lamby)
--
ibus
  NOTE: 20191210: Requires glib2.0 to be patched also.
  NOTE: 20191210: See https://bugs.debian.org/941018
  NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
--
intel-microcode
--
jackson-databind
  NOTE: 20200105: Can be postponed again. (apo)
--
libexif
  NOTE: 20191111: Contacted upstream for relevant commits of CVE-2019-9278. (utkarsh2102)
  NOTE: 20191114: Pinged upstream; just have the Android patch yet. (utkarsh2102)
  NOTE: 20191118: No patch yet. Shall claim and fix once the patch is available. (utkarsh2102)
  NOTE: 20191201: Pinged the upstream yet again. (utkarsh2102)
  NOTE: 20191216: The android patch does not apply but is easy to manually apply. (ola)
  NOTE: 20191216: The problem is the file to trigger the fault is not known. (ola)
  NOTE: 20200111: Investigated the issue, currently in contact with Ray Essick @google
  NOTE: 20200111: to get access to the reproducer. (hle)
--
libjackson-json-java (Adrian Bunk)
  NOTE: 20200127: work is ongoing
--
libmatio (Adrian Bunk)
  NOTE: fairly high number of open issues. Not sure why we never had a look at them.
  NOTE: triage work needed, help security team for fixes if needed.
  NOTE: 20190428: most patches can be applied after context adaption
  NOTE: 20190428: all CVEs are from one fuzzing attempt
  NOTE: 20190428: some CVE testcases pass on the unpatched version,
  NOTE: 20190428: but since the fixes can be made applied the code
  NOTE: 20190428: is likely vulnerable
  NOTE: 20190428: some CVE testcases still fail after applying the fix,
  NOTE: 20190428: older changes seem to also be required for them
  NOTE: 20200127: work is ongoing
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
nss (Markus Koschany)
  NOTE: 20200127: Fix for CVE-2019-17023 requires more work and testing but
  NOTE: release is planned for this week.
--
opendmarc (Thorsten Alteholz)
  NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing
--
openjdk-7 (Emilio)
--
openjpeg2 (Mike Gabriel)
  NOTE: 20200130: re-adding package again, after I just fixed CVE-2020-6851. Obviously a similar
  NOTE: 20200130: issue but different cause.
--
python-pysaml2 (Abhijith PA)
--
python-reportlab (Hugo Lefeuvre)
  NOTE: 20200127: upstream fix was published, but potentially unsuitable. currently investigating.
--
qemu (Utkarsh Gupta)
  NOTE: 20200118: embedded libslirp in qemu/jessie is affected. (sunweaver)
  NOTE: 20200119: Sent RFT to the list. (utkarsh2102)
--
radare2
  NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
  NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch.
  NOTE: Also note that there is a r2-pwnDebian challenge...
  NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo)
  NOTE: Support status is being discussed at:
  NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html
--
ruby-rack
  NOTE: 20191219: The security update causes a regression and also, there's a
  NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102)
--
ruby-rack-cors (Utkarsh Gupta)
--
salt
  NOTE: 20200118: about CVE-2019-17361... Compared to the upstream fix, there is a
  NOTE: 20200118: very similar code passage in salt/jessie's salt/client/api.py file.
  NOTE: 20200118: Needs to be checked, if that code is vulnerable or not.
--
slurm-llnl
  NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc
  NOTE: Regression found. (abhijith)
--
squid3
  NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf.
  NOTE: 20200116: Researched other distros to see if any had backported the fixes.  No luck.
  NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed.
  NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not
  NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that
  NOTE: 20200116: addresses the vulnerabilities. (roberto)
  NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID
  NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy
  NOTE: 20200120: to add those checks without introducing SBuf. (Ola)
  NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping
  NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more
  NOTE: 20200120: details on the intention. (Ola)
--
storebackup (Utkarsh Gupta)
--
tomcat8 (Abhijith PA)
 NOTE: 20200106: Almost done. Working on failing testcase.
--
wordpress
  NOTE: 20200118: Maybe affected, needs deeper triaging, no obvious commits
  NOTE: 20200118: referenced upstream. (sunweaver)
--
xcftools (Hugo Lefeuvre)
  NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review.
  NOTE: but I might just not receive any review any time soon, so I will now attempt to
  NOTE: fix the second issue and move on with the update.
  NOTE: 20200127: ongoing
--
xen
--
xerces-c (Hugo Lefeuvre)
  NOTE: 20191231: There is no upstream patch yet. (apo)
  NOTE: 20200118: There is still no upstream patch. (lamby)
--
yara
  NOTE: 20191212: no upstream fix yet
  NOTE: 20200119: still no upstream fix (daissi)
--

© 2014-2020 Faster IT GmbH | imprint | privacy policy