1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
ansible
NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
NOTE: 20200506: (lamby)
NOTE: 20200508: bam: Problem exists with new files only. Existing files
NOTE: 20200508: bam: code resets permissions to same value, should be fine.
NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
--
cacti (Abhijith PA)
NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith)
NOTE: 20200620: WIP (abhijith)
NOTE: 20200629: Working on the patch (abhijith)
NOTE: 20200701: Patch for CVE-2020-7237 should also be included for Stretch LTS. (utkarsh)
--
ceph
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
--
cimg
NOTE: 20200709: Upstream patch is against a newer "load_network_external"
NOTE: 20200709: method (vs "load_network") but is still missing the argument
NOTE: 20200709: sanitisation. (lamby)
--
condor (Roberto C. Sánchez)
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
--
curl (Thorsten Alteholz)
--
ffmpeg (Adrian Bunk)
NOTE: 20200707: Vulnerable to at least CVE-2020-13904. (lamby)
NOTE: 20200707: According to jmm, ffmpeg in stretch follows the 3.2.x releases
NOTE: 20200707: (same as for buster, which he is rebasing to 4.1.6 in the
NOTE: 20200707: next few days) [stretch] should continue to do for LTS as
NOTE: 20200707: long as 3.2 releases are made, only a minor subset of
NOTE: 20200707: ffmpeg bugs get a CVE assigned. There was a 3.2.15 release a
NOTE: 20200707: few days ago, which should fix this and many others. (lamby)
--
firefox-esr (Emilio)
--
freerdp
NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver)
--
golang-github-seccomp-libseccomp-golang (Adrian Bunk)
--
gupnp
--
imagemagick (Markus Koschany)
NOTE: 20200713: Ongoing work
--
jruby
NOTE: 20200706: all open CVEs were fixed in jessie (Beuc)
--
json-c
NOTE: 20200709: Not all of the patches as part of CVE-2020-12762 do not apply
NOTE: 20200709: directly/cleanly to the version in stretch, but I suspect we
NOTE: 20200709: are still vulnerable. (lamby)
--
jupyter-notebook
NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby)
--
ksh
--
libjpeg-turbo (Adrian Bunk)
--
libopenmpt (Utkarsh Gupta)
--
libpam-radius-auth (Utkarsh Gupta)
--
librsvg (Emilio)
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
mercurial (Roberto C. Sánchez)
NOTE: 20200706: all open CVEs were fixed in jessie (Beuc)
--
milkytracker (Adrian Bunk)
NOTE: 20200708: (At least) CVE-2020-15569. (lamby)
--
mumble
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
--
mupdf
NOTE: 20200708: Vulnerable to at least CVE-2019-13290. (lamby)
--
nginx (Sylvain Beucler)
NOTE: 20200713: update is ready, will publish after point release unless it's delayed too much (Beuc)
NOTE: 20200713: https://www.beuc.net/tmp/debian-lts/nginx/
NOTE: 20200713: this deb9u5 includes/supersedes stretch-pu deb9u4
--
nss (Adrian Bunk)
NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc)
--
opendmarc (Thorsten Alteholz)
NOTE: 20200621: testing package (thorsten)
--
pillow
NOTE: 20200711: Appears vulnerable to at least CVE-2020-10177, but not CVE-2020-10378. (lamby)
--
poppler (Emilio)
--
puma
NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby)
--
python3.5 (Sylvain Beucler)
NOTE: 20200709: update is ready, only (lotsa) non-critical CVEs so uploading after point release unless it's delayed too much (Beuc)
NOTE: 20200709: https://www.beuc.net/tmp/debian-lts/python3.5/
--
qemu
NOTE: might be fixed by -pu. Visit later (utkarsh)
--
rails (Sylvain Beucler)
NOTE: 20200706: coordinating/reviewing stretch update with security/ruby/upstream teams (Beuc)
NOTE: 20200706: https://lists.debian.org/debian-lts/2020/07/msg00065.html
NOTE: 20200709: https://www.beuc.net/tmp/debian-lts/rails/
NOTE: 20200709: this deb9u3 includes/supersedes stretch-pu deb9u2
NOTE: 20200713: secteam was planning to work on buster side past week-end
--
ruby-zip
NOTE: 20200710: Vulnerable to at least CVE-2018-1000544. (lamby)
NOTE: 20200710: Was fixed in jessie LTS via DLA-1467-1. (lamby)
--
salt
NOTE: 20200710: Vulnerable to at least CVE-2018-15751, which was
NOTE: 20200710: not an issue in jessie LTS. (lamby)
--
samba (Roberto C. Sánchez)
NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh)
--
sqlite3
NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby)
--
squid3 (Markus Koschany)
--
sympa
NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh)
NOTE: 20200525: But that is weird, given their announcement. (utkarsh)
NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh)
NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to
NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh)
NOTE: 20200531: non-public patch received but don't think it should applied (utkarsh)
NOTE: 20200604: the upload is ready but has been put on hold for a while. (utkarsh)
NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh)
--
transmission (Utkarsh Gupta)
--
wordpress
NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby)
NOTE: 20200710: During triage noticed that CVE-2020-4046 was marked as fixed
NOTE: 20200710: in 4.1.31+dfsg-0+deb8u1 in jessie LTS, yet does not seem that
NOTE: 20200710: it was vulnerable to begin with. (lamby)
--
wpa (Abhijith PA)
NOTE: 20200709: #949367 is a stretch-pu update for CVE-2019-16275 (bunk)
--
xcftools
NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
NOTE: 20200517: work is ongoing. (gladk)
NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
--
|
