1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
ansible
NOTE: 20210411: As discussed with the maintainer I will update Buster first and
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
apache2 (Emilio)
--
ceph
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
NOTE: 20210118: wip (Emilio)
--
condor
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola)
--
ffmpeg (Anton Gladky)
NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15
NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are
NOTE: 20210607: now 10+ ~new CVEs that nominally apply to the version in LTS,
NOTE: 20210607: so some investigation and insight is required to see which
NOTE: 20210607: apply and/or what we do with the version of ffmpeg in LTS
NOTE: 20210607: going forward. There is a 3.4.x release branch, for example,
NOTE: 20210607: but unclear on the compatibility as well as whether this one
NOTE: 20210607: won't just be dropped too, etc. etc. (lamby)
--
gpac (Thorsten Alteholz)
NOTE: 20210607: WIP
--
htmldoc (Utkarsh Gupta)
--
jetty9 (Sylvain Beucler)
--
libxstream-java
NOTE: 20210603: upstream changed the default security framework to a whitelist,
NOTE: 20210603: we should consider checking rdeps and doing the same and announce
NOTE: 20210603: that the blocklist is no longer supported, see
NOTE: 20210603: https://lists.debian.org/debian-lts/2021/06/msg00001.html (pochu)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
nettle (Emilio)
--
nvidia-graphics-drivers
NOTE: package is in non-free but also in packages-to-support
NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
--
prosody (Anton Gladky)
NOTE: 20210519: at least the 10MB limit mentioned in CVE-2021-32918 is present
NOTE: 20210530: WIP
--
ruby-actionpack-page-caching (Markus Koschany)
NOTE: 20200819: Upstream's patch on does not apply due to subsequent
NOTE: 20200819: refactoring. However, a quick look at the private
NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
NOTE: 20200819: uses the path without normalising any "../" etc., simply
NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
--
ruby-doorkeeper (Sylvain Beucler)
--
ruby-kaminari (Markus Koschany)
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
NOTE: 20200819: file has been refactored a few times). (lamby)
NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
--
salt
NOTE: 20210329: WIP (utkarsh)
NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh)
NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh)
NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh)
--
shiro (Roberto C. Sánchez)
NOTE: 20200920: WIP
NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto)
NOTE: 20210511: Upstream provided suggestions/guidance on testing of backported fixes; testing/tweaking is in progress. (roberto)
--
slapi-nis (Thorsten Alteholz)
NOTE: 20210607: WIP
--
sogo (Anton Gladky)
NOTE: 20210603: maybe mention in announcement the recommendation to invalidate user
NOTE: 20210603: sessions (see upstream blog). (pochu)
--
squid3 (Abhijith PA)
NOTE: 20210523: not sure whether all CVEs realy affect Stretch
NOTE: 20210528: Looks like all CVEs affect stretch. (Ola)
NOTE: 20210528: For some buildRangeHeader has just moved from one file to another. (Ola)
NOTE: 20210603: I'm working on a ELTS fix and it's the same version, WIP backported patches at:
NOTE: 20210603: https://www.beuc.net/tmp/debian-elts/squid3/ (Beuc)
NOTE: 20210609: https://deb.freexian.com/extended-lts/pool/main/s/squid3/ (Beuc)
--
xmlbeans
NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
NOTE: 20210222: upstream release with the fix). Trying to determine how to
NOTE: 20210222: implement the changes without introducing too much new code. (roberto)
NOTE: 20210309: Have developed a minimal backport that accomplishes necessary security
NOTE: 20210309: fix with minimal new code. (roberto)
NOTE: 20210527: <el_cubano> My hope is to [...] pick back up on xmlbeans for both LTS and ELTS at the start of June
NOTE: 20210601: claimed in ELTS by apo
--
|
