1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
abcm2ps (Anton)
--
ansible
NOTE: 20210411: As discussed with the maintainer I will update Buster first and
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
ckeditor
NOTE: 20220402: multiple pendings vulnerabilities (Beuc)
--
condor (Markus Koschany)
--
debian-security-support
NOTE: 20220402: need to update the list of unsupported packages (Beuc)
NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc)
NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg00000.html (Beuc)
--
firmware-nonfree
NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
NOTE: 20211207: Intend to release this week.
--
gerbv
NOTE: 20220321: WIP https://salsa.debian.org/lts-team/packages/gerbv (Anton)
NOTE: 20220326: CVE-2021-40401 is fixed https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch (Anton)
NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton)
--
golang-1.7
NOTE: 20220402: harmonize with bullseye/11.3 (Beuc)
--
golang-1.8
NOTE: 20220402: harmonize with bullseye/11.3 (Beuc)
--
golang-go.crypto
NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc)
--
gpac (Roberto C. Sánchez)
NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto)
NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)
NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto)
NOTE: 20220305: There are many dozens of open CVEs, it will take a while yet (roberto)
--
icingaweb2 (Abhijith PA)
--
intel-microcode
NOTE: 20220213: please recheck
--
jackson-databind
NOTE: 20220320: wait for complete upstream fix (apo)
--
kicad
--
kvmtool
NOTE: 20220402: stretch-specific, orphaned package (Beuc)
NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc)
--
libarchive (Thorsten Alteholz)
NOTE: 20220327: next round of testing
--
liblouis
NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN
NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too.
--
libpgjava
--
libvirt (Thorsten Alteholz)
--
libxml2 (Anton)
--
libz-mingw-w64
NOTE: 20220231: upcoming DSA (Beuc)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mariadb-10.1
NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton)
--
mbedtls (Utkarsh)
--
minidlna (Thorsten Alteholz)
NOTE: 20220327: update other releases first
--
mitmproxy
--
nvidia-cuda-toolkit
NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc)
--
nvidia-graphics-drivers
NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc)
NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential
NOTE: 20220209: backport (apo)
--
openjpeg2 (Anton)
NOTE: 20220330: also align with DSA-4882-1 (Beuc)
--
openvpn
NOTE: 20220402: harmonize with buster/10.10 (Beuc)
--
pdns
NOTE: 20220402: harmonize with buster/10.8 (Beuc)
--
puppet-module-puppetlabs-firewall
NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc)
--
qemu (Emilio)
NOTE: 20220320: Vulnerable function appears to be vhost_vsock_send_transport_reset.
NOTE: 20220320: Consider looking into postponed issues (apo)
--
ring (Abhijith PA)
NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
--
samba
NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton)
NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
NOTE: 20220125: ftbfs, wip. (utkarsh)
--
smarty3
--
snapd
NOTE: 20220308: seems vulnerable at least to setup_private_mount,
NOTE: 20220308: but double check (pochu)
--
sox
NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton)
NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton)
--
tiff (Utkarsh)
--
twig
NOTE: 20220402: cf. DSA-5107-1; similar code in lib/Twig/Extension/Core.php (Beuc)
--
unzip
NOTE: 20220319: no patches yet but reproducible (apo)
--
usbguard (Markus Koschany)
--
waitress
NOTE: 20220320: I am not sure if we should ignore CVE-2022-24761 as it is
NOTE: 20220320: basically another HTTP parsing error and a workaround exists
NOTE: 20220320: or if we should overhaul the package and fix everything
NOTE: 20220320: instead. Someone with more Python knowledge should take another look
NOTE: 20220320: at it. (apo)
--
zabbix
--
|