1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
ansible
NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
NOTE: 20200506: (lamby)
NOTE: 20200508: bam: Problem exists with new files only. Existing files
NOTE: 20200508: bam: code resets permissions to same value, should be fine.
NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
--
apache2
NOTE: 20200501: The problem to solve is this: https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 (Ola)
NOTE: 20200501: No CVE yet. (Ola)
NOTE: 20200531: Asking upstream for CVE assignment. (utkarsh)
NOTE: 20200604: wating to hear from CVE team for their decision. (utkarsh)
NOTE: 20200604: otherwise the patch is ready for upload. (utkarsh)
--
batik (Emilio)
--
cacti (Abhijith PA)
NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith)
NOTE: 20200620: WIP (abhijith)
NOTE: 20200629: Working on the patch (abhijith)
--
condor (Roberto C. Sánchez)
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
--
coturn (Utkarsh Gupta)
--
curl (Thorsten Alteholz)
--
firefox-esr
--
freerdp
NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver)
--
glib-networking
--
gupnp
--
imagemagick (Markus Koschany)
NOTE: 20200622: Ongoing work
--
jackson-databind (Utkarsh Gupta)
NOTE: 20200629: WIP (utkarsh)
--
libdatetime-timezone-perl
NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto)
NOTE: 20200619: There's no security issue in libdatetime-timezone-perl, but it embeds a copy
NOTE: 20200619: of tzdata and gets updated similar to the SUA updates for stable. (according to email, node added by ola)
NOTE: 20200620: There is no security issue with the package. What we want to do is to provide an up to date timezone
NOTE: 20200620: database but that is not urgent. We want to provide 2020a-0+deb8u1. (according to email, node added by ola)
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
mumble
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
--
net-snmp
NOTE: 20200628: be aware of the ABI break introduced by the patches! (thorsten)
--
nginx
NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby)
--
opendmarc (Thorsten Alteholz)
NOTE: 20200621: testing package (thorsten)
--
perl (Abhijith PA)
NOTE: 20200622: Working on failing tests (abhijith)
--
python3.4 (Sylvain Beucler)
NOTE: 20200623: waiting for CVE-2020-14422's patch to be approved upstream
--
qemu
--
rails (Sylvain Beucler)
NOTE: 20200624: asked for upstream feedback on regression
NOTE: 20200624: https://github.com/rails/rails/issues/39301
--
ruby-rack
NOTE: probably not affected (parse_cookies_header() is not available in Jessie, but code might hide somewhere else) (thorsten)
--
shiro (Chris Lamb)
NOTE: 20200629: Taking this now as I did the last upload. (lamby)
--
squid3 (Markus Koschany)
NOTE: 20200622: https://people.debian.org/~apo/lts/squid3/
NOTE: 20200622: Patch for CVE-2019-12523 almost complete.
--
squirrelmail
NOTE: 20200625: according to the oss-security email there are other issues to be fixed as well, probably not worth fixing if not needed in ELTS (thorsten)
--
sympa
NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh)
NOTE: 20200525: But that is weird, given their announcement. (utkarsh)
NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh)
NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to
NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh)
NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh)
NOTE: 20200604: the upload is ready but has been put on hold for a while. (utkarsh)
NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh)
--
tomcat8 (Markus Koschany)
--
tzdata
NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto)
--
unbound
NOTE: 20200616: Package unsupported.
NOTE: 20200616: Not possible to update debian-security-support package in Jessie.
NOTE: 20200616: https://lists.debian.org/debian-lts/2020/06/msg00038.html (bam)
--
wordpress (Utkarsh Gupta)
NOTE: 20200623: WIP. (utkarsh)
--
wpa (Abhijith PA)
--
xcftools
NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
NOTE: 20200517: work is ongoing. (gladk)
NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
--
xen
NOTE: 20200414: debian-security-support has been updated with EOL status
NOTE: 20200414: and will be uploaded concurrent with next stretch/buster point releases
NOTE: 20200414: c.f., https://lists.debian.org/debian-lts/2020/04/msg00026.html (roberto)
--
|
