1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
A wheezy-lts security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
clamav (Santiago R.R.)
--
curl (Santiago R.R.)
--
dovecot (Thorsten Alteholz)
--
elinks
NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat)
--
exempi (Markus Koschany)
NOTE: 20180308: Not all upstream patches apply cleanly (lamby)
--
gcc-4.6 (Roberto C. Sánchez)
NOTE: Backport the retpoline support for spectre mitigation.
NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie.
NOTE: This gcc version is used by the kernel build. Its update is
NOTE: thus more important than the one of gcc-4.7.
--
gcc-4.7 (Roberto C. Sánchez)
NOTE: Backport the retpoline support for spectre mitigation.
NOTE: Do we want/need it on this gcc version as well?
--
firefox-esr (Emilio Pozuelo)
--
graphicsmagick
--
graphite2 (Abhijith PA)
--
icu (Thorsten Alteholz)
NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public
--
isc-dhcp (Thorsten Alteholz)
--
jruby (Emilio Pozuelo)
--
krb5
NOTE: lts-do-not-call
NOTE: Details not public. Yet. See https://lists.debian.org/msgid-search/20180208212643.GB7792@pisco.westfalen.local
--
lame (Hugo Lefeuvre)
NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced CVE-2017-150{18,45,46}
NOTE: 20180125: Fabian showed interest in porting lame to libsndfile and submitted a patch draft for Jessie.
NOTE: I'll test it, submit the update for Jessie and backport the result to Wheezy on time.
--
libav (Hugo Lefeuvre)
NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop.
NOTE: It is unlikely that he will start again in the next weeks.
NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May.
NOTE: Help is welcome, feel free to mail Hugo.
--
libgcrypt11
--
libmad (Kurt Roeckx)
--
libreoffice
--
libvorbis (Guido Günther)
NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue.
NOTE: Fixes for other CVEs applied upstream and in sid.
--
linux
--
ming (Hugo Lefeuvre)
NOTE: 20180311: wip, currently working on it with upstream, might take a while
--
mingw-w64
--
mp4v2
--
mupdf (Hugo Lefeuvre)
--
opencv (Thorsten Alteholz)
--
openjdk-7 (Emilio Pozuelo)
--
php5
NOTE: 20180226: consider reviewing the backlog of issues fixed in jessie to see if it is worth fixing a few DOS in the backlog (anarcat)
--
python-crypto
NOTE: Incomplete fix for CVE-2018-6594.
NOTE: See https://lists.debian.org/debian-lts/2018/02/msg00069.html
--
ruby1.9.1 (Emilio Pozuelo)
--
rubygems (Emilio Pozuelo)
--
tiff
NOTE: incomplete fix of CVE-2017-18013, see CVE-2018-7456.
--
uwsgi
--
wireshark (Thorsten Alteholz)
--
wordpress
NOTE: 20180217: Upstream unsure how to fix at the moment (lamby)
NOTE: 20180221: Upstream still unsure how to fix (lamby)
NOTE: 20180311: Upstream still unsure how to fix. <https://core.trac.wordpress.org/ticket/43308> (lamby)
--
|
