1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
389-ds-base
--
ansible (Abhijith PA)
NOTE: Consider fixing no-dsa issues which were never fixed via a point release
--
bouncycastle (Markus Koschany)
--
ca-certificates
NOTE: 20180531: check if we need to perform an update before wheezy is EOL (anarcat)
NOTE: 20180601: Will keep this open and check for jessie now. (lamby)
--
dokuwiki (Abhijith PA)
NOTE: CVE-2017-18123 fixed in wheezy.
--
enigmail
NOTE: 20180603: Commits between https://sourceforge.net/p/enigmail/source/ci/f6c111 (abhijith)
NOTE: 20180603: and https://sourceforge.net/p/enigmail/source/ci/d2a83a might be useful. (abhijith)
--
evolution
--
exiv2
NOTE: 20180628: The only outstanding vulnerability, CVE-2018-11037, is slated to be fixed in the next upstream release, 0.27.
--
firefox-esr (Emilio Pozuelo)
NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 goes EOL.
NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need some work.
--
git
--
graphicsmagick
--
intel-microcode
--
ipsec-tools
NOTE: CVE-2016-10396 fixed in wheezy. No further point release so this should be fixed this way instead.
--
kdepim
--
kf5-messagelib
NOTE: 20180623: efail-related (lamby)
--
kmail
--
lame (Hugo Lefeuvre)
NOTE: 20180529: Tested patch ready for upload. Waiting for feedback from the security team.
NOTE: See https://lists.debian.org/debian-lts/2018/05/msg00081.html
--
lava-server (Thorsten Alteholz)
NOTE: get_remote_definition is get_remote_json in this version
--
libav (Hugo Lefeuvre)
NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop.
NOTE: 20180118: It is unlikely that he will start again in the next weeks.
NOTE: 20180118: I am currently working on CVE triage but I will not be able to process the whole backlog until May.
NOTE: 20180529: Help is welcome, feel free to mail Hugo. Still up-to-date. Help needed for CVE triage and patch development.
NOTE: 20180529: Just contacted some of the CVE reporters to ask for the reproducers, CC-ed team ML.
--
libgcrypt20 (Emilio Pozuelo)
--
libidn (Santiago)
NOTE: CVE-2017-14062 fixed in wheezy. 20180622: Markus reports that Santiago has proposed an update for this to the security team. (lamby)
--
liblouis
--
libspring-java
--
linux
--
mariadb-10.0 (Emilio Pozuelo)
--
mercurial (Antoine)
NOTE: CVE-2017-17458 and CVE-2018-1000132 fixed in wheezy.
--
ming (Hugo Lefeuvre)
NOTE: 20180529: wip, currently working on it with upstream. Lots of fuzzing noise,
NOTE: many duplicate issues. I'm currently working on the next upload, which will fix
NOTE: another batch of CVEs. It will most likely not be ready until Wheezy EOL, but I
NOTE: will upload it for ELTS.
--
mosquitto (Thorsten Alteholz)
NOTE: CVE-2017-7651 and CVE-2017-7652 fixed in wheezy.
--
phpmyadmin (Abhijith PA)
--
qemu (Santiago)
--
simplesamlphp
NOTE: CVE-2017-12872 fixed in wheezy.
NOTE: CVE-2017-12868 probably not affected as jessie has php 5.6. Should be double-checked though.
--
slurm-llnl (Thorsten Alteholz)
NOTE: CVE-2018-7033 fixed in wheezy.
--
thunderbird (Emilio Pozuelo)
--
tiff
--
tiff3 (Holger Levsen)
--
tomcat8 (Roberto C. Sánchez)
NOTE: 20180626: Awaiting feedback from Security team and Tomcat maintainers about 8.0.x EOL strategy.
--
xen (Emilio Pozuelo)
--
zendframework (Thorsten Alteholz)
NOTE: CVE-2016-4861 fixed in wheezy.
--
|
