summaryrefslogtreecommitdiffstats
path: root/data/dla-needed.txt
blob: 9bbbecae84a13a0bfdf0b8c71eef348102874d7c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
abcm2ps (Anton)
--
ansible
  NOTE: 20210411: As discussed with the maintainer I will update Buster first and
  NOTE: 20210411: after that LTS. (apo)
  NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
asterisk (Abhijith PA)
  NOTE: 20220314: Looking on back log no-dsa (abhijith)
--
cacti (Sylvain Beucler)
  NOTE: 20220321: checking postponed vulnerabilities
--
condor
--
firmware-nonfree
  NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
  NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
  NOTE: 20211207: Intend to release this week.
--
gerbv (Anton)
  NOTE: WIP https://salsa.debian.org/lts-team/packages/gerbv (Anton)
--
golang-go.crypto
--
gpac
  NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto)
  NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)
  NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto)
  NOTE: 20220305: There are many dozens of open CVEs, it will take a while yet (roberto)
--
icingaweb2
--
intel-microcode
  NOTE: 20220213: please recheck
--
jackson-databind
  NOTE: 20220320: wait for complete upstream fix (apo)
--
kicad
--
libarchive (Thorsten Alteholz)
  NOTE: 20220225: fix seems to be incomplete
--
libdatetime-timezone-perl (Emilio)
--
liblouis
  NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN
  NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too.
--
libpgjava
--
libxml2 (Anton)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mariadb-10.1
  NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton)
--
mbedtls (Utkarsh)
--
minidlna (Thorsten Alteholz)
--
nvidia-graphics-drivers
   NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc)
   NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential
   NOTE: 20220209: backport (apo)
--
pjproject (Abhijith PA)
  NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu)
  NOTE: 20220215: Asterisk and ring have embedded copy of pjproject (abhijith)
  NOTE: 20220302: uploading asterisk, ring and pjproject in one go (abhijith)
  NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/pjproject_2.5.5~dfsg-6+deb9u3.dsc
--
qemu
  NOTE: 20220320: Vulnerable function appears to be vhost_vsock_send_transport_reset.
  NOTE: 20220320: Consider looking into postponed issues (apo)
--
ring (Abhijith PA)
 NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
--
samba
  NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
  NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton)
  NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
  NOTE: 20220125: ftbfs, wip. (utkarsh)
--
smarty3
--
snapd
  NOTE: 20220308: seems vulnerable at least to setup_private_mount,
  NOTE: 20220308: but double check (pochu)
--
tiff (Utkarsh)
--
tzdata (Emilio)
--
unzip
 NOTE: 20220319: no patches yet but reproducible (apo)
--
usbguard
--
waitress
  NOTE: 20220320: I am not sure if we should ignore CVE-2022-24761 as it is
  NOTE: 20220320: basically another HTTP parsing error and a workaround exists
  NOTE: 20220320: or if we should overhaul the package and fix everything
  NOTE: 20220320: instead. Someone with more Python knowledge should take another look
  NOTE: 20220320: at it. (apo)
--
wireshark
--
zabbix
--

© 2014-2024 Faster IT GmbH | imprint | privacy policy