1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
ansible
NOTE: 20200219: no upstream fixes yet
--
bluez (Emilio)
NOTE: 20200330: wip
--
ceph (Chris Lamb)
NOTE: 20200408: Upstream patch does not cleanly apply; no std::any_of and
NOTE: 20200408: lack of parsing of request state means no handy
NOTE: 20200408: "is_anonymous" method. (lamby)
--
graphicsmagick (Roberto C. Sánchez)
--
inetutils (Roberto C. Sánchez)
NOTE: 20200408: Check cfe888f14 in this repo, as well as #953477 and 9d28e4c3. (lamby)
--
jackson-databind (Utkarsh Gupta)
--
libconvert-asn1-perl (Utkarsh Gupta)
--
libmatio (Adrian Bunk)
NOTE: fairly high number of open issues. Not sure why we never had a look at them.
NOTE: triage work needed, help security team for fixes if needed.
NOTE: 20190428: most patches can be applied after context adaption
NOTE: 20190428: all CVEs are from one fuzzing attempt
NOTE: 20190428: some CVE testcases pass on the unpatched version,
NOTE: 20190428: but since the fixes can be made applied the code
NOTE: 20190428: is likely vulnerable
NOTE: 20190428: some CVE testcases still fail after applying the fix,
NOTE: 20190428: older changes seem to also be required for them
NOTE: 20200406: work is ongoing
--
libperlspeak-perl (Mike Gabriel)
NOTE: 20200326: No patches yet.
NOTE: 20200330: Requested EOL/jessie (sunweaver, h01ger).
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
mumble (Abhijith PA)
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
--
netty
NOTE: 20200408: Upstream patch looks fairly invasive and maybe incomplete
NOTE: 20200408: ("This should probably be reopened.") (lamby)
--
opendmarc (Thorsten Alteholz)
NOTE: 20200406: still testing package, original patch does not seem to be enough, still ongoing
--
otrs2 (Abhijith PA)
--
php5 (Thorsten Alteholz)
--
ruby-rack
NOTE: 20191219: The security update causes a regression and also, there's a
NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102)
NOTE: 20200216: Discussion ongoing on -lts list. (lamby)
--
shiro (Chris Lamb)
NOTE: 20200329: https://github.com/apache/shiro/pull/203 (lamby)
NOTE: 20200329: See 53dc30bf6823c98 in this repo. (lamby)
NOTE: 20200402: Prepared a package but difficult running tests. Have asked
NOTE: 20200402: the Debian maintainer at https://bugs.debian.org/955018#12
--
squid3 (Markus Koschany)
NOTE: 20200330: There is still an issue with CVE-2019-12523 but the rest
NOTE: 20200330: looks good now. (apo)
--
thunderbird (Emilio)
--
tomcat8 (Markus Koschany)
NOTE: 20200330: I am reviewing a patch for Abhijith currently.
--
wireshark (Thorsten Alteholz)
--
xcftools
NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
NOTE: 20200316: still no activity on upstream's bug tracker (beuc)
--
xen (Roberto C. Sánchez)
NOTE: 20200302: xen 4.4 EOL'd, needs public announcement (roberto)
NOTE: 20200302: https://lists.debian.org/debian-lts/2020/03/msg00024.html
NOTE: 20200322: awaiting feedback on mailing list thread
--
|
