1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
clamav (Hugo Lefeuvre)
NOTE: wait for definitive patch to be available, then upgrade to latest upstream
NOTE: release (follow stretch changes) (hle)
NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html
--
dnsmasq (Mike Gabriel)
--
faad2 (Hugo Lefeuvre)
NOTE: 20190810: I have done a second review of my patches and ping Fabian to get them
NOTE: merged at some point. see https://github.com/knik0/faad2/pull/36
NOTE: working on more patches (hle)
--
freeimage
NOTE: Maintainer will take care of the update.
NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html
NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597
--
freetype (Thorsten Alteholz)
--
golang-go.crypto
NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby)
--
hdf5 (Hugo Lefeuvre)
NOTE: 20190810: Upstream is aware of currently open issues. Progress is slow,
NOTE: wait for the next HDF5 point release and either do full package upgrade
NOTE: or cherry pick fixes (hle)
--
imagemagick (Hugo Lefeuvre)
NOTE: 20190809: almost done with triage. one issue really deserves a DLA, a few others
NOTE: can be shiped along (good patches, low regression risk). triaged the rest no-dsa.
NOTE: waiting for upstream to answer my questions before proceeding further.
--
libav (Mike Gabriel)
NOTE: 20190529: There are currently 19 CVE issues known for libav in jessie,
NOTE: 20190529: 11 tagged as <no-dsa>. These issues have been triaged, no patch
NOTE: 20190529: has been found, so far. If you pick libav, be prepared to work
NOTE: 20190529: out patches yourself.
NOTE: 20190731: New CVEs occurred, need to be triaged.
--
libmatio (Adrian Bunk)
NOTE: fairly high number of open issues. Not sure why we never had a look at them.
NOTE: triage work needed, help security team for fixes if needed.
NOTE: 20190428: most patches can be applied after context adaption
NOTE: 20190428: all CVEs are from one fuzzing attempt
NOTE: 20190428: some CVE testcases pass on the unpatched version,
NOTE: 20190428: but since the fixes can be made applied the code
NOTE: 20190428: is likely vulnerable
NOTE: 20190428: some CVE testcases still fail after applying the fix,
NOTE: 20190428: older changes seem to also be required for them
NOTE: 20190804: work is ongoing
--
libqb
NOTE: 20190616: Upstream patch does not apply at all, but it appears that
NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or
NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby)
NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html
--
libreoffice
NOTE: probably Jessie is affected as well
--
libsdl1.2 (Hugo Lefeuvre)
NOTE: see libsdl2 entry.
--
libsdl2 (Hugo Lefeuvre)
NOTE: 20190809: probable fix for CVE-2019-13626: https://hg.libsdl.org/SDL/rev/b06fa7da012b
NOTE: waiting for somebody to confirm. if this is right I'd just mark this issue no-dsa,
NOTE: the issue is quite minor and the patch extremely big and full of unrelated changes.
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
openjdk-7 (Markus Koschany)
NOTE: 20190804: The new OpenJDK 7 package needs more testing because this is
NOTE: the first package which we could not simply backport.
--
python2.7 (Thorsten Alteholz)
NOTE: 20190804: need to check fails with test suite unrelated to this patch
--
python3.4 (Thorsten Alteholz)
--
qemu
NOTE: 20190528: An upload candidate is waiting for being tested on real hardware.
NOTE: 20190528: Still need to set up a notebook with jessie installed for testing.
NOTE: 20190528: Will also mail a request for testing to the mailing list later
NOTE: 20190528: today.
NOTE: 20190529: Upload candidate: http://packages.sunweavers.net/debian/pool/main/q/qemu/qemu_2.1+dfsg-12+deb8u12.dsc
NOTE: 20190529: More testing needed.
--
ruby-mini-magick (Thorsten Alteholz)
NOTE: 20190805: package does not build in Jessie
--
ruby-openid
NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby)
NOTE: 20190701: Pinged bug (lamby)
NOTE: 20190705: Pinged bug (lamby)
NOTE: 20190710: I'm at a loss to how to continue persuing this issue (see https://github.com/openid/ruby-openid/issues/122) so returning to the pool. (lamby)
NOTE: 20190726: Still unknown how to fix (see aforementioned github issue) (lamby)
NOTE: 20190812: Details: https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211
--
slurm-llnl (Abhijith PA)
NOTE: 20190814: Contacted security of slurm-llnl for relevant commits (abhijith)
--
sox
NOTE: 20190721: no patch available (hle)
--
subversion (Roberto C. Sánchez)
NOTE: 20190804: For (at least) CVE-2018-11782 the svn_err_trace that is in the diff has not been added yet. (lamby)
--
tika (Hugo Lefeuvre)
NOTE: 20190813: found commit links and reproducers.
NOTE: currently having difficulties to reproduce issues. Asked maintainer for help (c.f. debian-lts ML)
--
wireshark (Thorsten Alteholz)
--
wordpress
NOTE: 20190614: No upstream fix yet. (apo)
--
xen
NOTE: 20190629: Contacted credativ support and asked for a status update
--
xymon (Thorsten alteholz)
--
|
