1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
android-platform-system-core
NOTE: 20221102: Programming language: C++.
NOTE: 20221102: VCS: https://salsa.debian.org/lts-team/packages/android-platform-system-core.git
NOTE: 20221102: The package in buster is likely affected but since no known fix is available it is hard to tell without running the proof of concept code.
NOTE: 20221102: Consider ignoring this if Debian Security team see the CVEs as minor. (ola)
NOTE: 20221103: Both PoCs (CVE-2022-20128 & CVE-2022-3168) work for me in buster (Beuc)
--
asterisk (Markus Koschany)
NOTE: 20220810: Programming language: C.
NOTE: 20220829: Ongoing triaging work. Maybe we should think about syncing
NOTE: 20220829: bullseye and buster. (apo)
NOTE: 20221002: Done. Will ask for a public review tomorrow though. (apo)
NOTE: 20221018: https://lists.debian.org/debian-lts/2022/10/msg00037.html
NOTE: 20221113: I intend to upload on 15.11.2022. I got positive feedback
NOTE: 20221113: from a Bullseye user and Asterisk's maintainer seemed okay
NOTE: 20221113: with it as well.
--
ceph
NOTE: 20221031: Programming language: C++.
NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system.
NOTE: 20221031: What should be checked is whether any user with ceph permission can do the actions described in the exploit.
--
consul
NOTE: 20221031: Programming language: Go.
NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail.
--
curl
NOTE: 20220901: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
NOTE: 20220904: Special attention: high popcon!.
--
firefox-esr (Emilio)
--
firmware-nonfree
NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it.
--
frr
NOTE: 20220923: Programming language: C.
--
fwupd
NOTE: 20221003: Programming language: C++.
--
gerbv
NOTE: 20220923: Programming language: C.
--
git
NOTE: 20221031: Programming language: C.
NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/git.git
--
golang-1.11
NOTE: 20220916: Programming language: Go.
NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't)
NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921
--
golang-github-nats-io-jwt
NOTE: 20221109: Programming language: Go.
NOTE: 20221109: Special attention: limited support, cf. buster release notes; not in bullseye
--
golang-go.crypto
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
NOTE: 20220915: Special attention: limited support, cf. buster release notes
NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1
NOTE: 20220915: Special attention: also check bullseye status
--
golang-websocket
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk)
NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies
--
graphicsmagick
NOTE: 20221027: Programming language: C.
--
grub2 (Salvatore Bonaccorso)
NOTE: 20221116: Maintainer prepared as well buster-security updates for release
--
hsqldb
NOTE: 20221031: Programming language: Java.
NOTE: 20221031: To be investigated further. A possible outcome is to ignore it.
NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html.
--
imagemagick
NOTE: 20220904: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git
NOTE: 20220904: Should be synced with Stretch. (apo)
--
inetutils
NOTE: 20221112: Programming language: C.
NOTE: 20221112: Follow fixes from bullseye 11.5 (Beuc/front-desk)
--
ini4j
NOTE: 20221012: Programming language: Java.
NOTE: 20221012: Require investigation (lamby)
--
jackson-databind (Markus Koschany)
NOTE: 20221030: Programming language: Java.
--
jhead
NOTE: 20221031: Programming language: C.
NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good..
NOTE: 20221031: It should be stated in the DLA that multiple options are affected..
--
joblib (Dominik George)
NOTE: 20221006: Programming language: Python.
--
jqueryui
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.2 (and jessie/elts) (Beuc/front-desk)
--
jupyter-core (Dominik George)
NOTE: 20221102: Programming language: Python.
--
kopanocore
NOTE: 20220801: Programming language: C++.
NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired)
--
lava (Dominik George)
NOTE: 20221031: Programming language: Python.
--
libapreq2
NOTE: 20221031: Programming language: C.
--
libarchive
NOTE: 20221111: Programming language: C.
NOTE: 20221111: Sync with jessie/stretch/bullseye-11.3 (Beuc/front-desk)
--
libcommons-jxpath-java
NOTE: 20221027: Programming language: Java.
NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests.
--
libde265
NOTE: 20221107: Programming language: C++.
NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk)
NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk)
--
libreoffice
NOTE: 20221012: Programming language: C++.
--
libsdl2
NOTE: 20221111: Programming language: C.
NOTE: 20221111: Sync with jessie/stretch/bullseye (Beuc/front-desk)
--
libstb
NOTE: 20221111: Programming language: C.
--
linux (Ben Hutchings)
--
man2html
NOTE: 20221004: Programming language: C.
NOTE: 20221004: It looks like not patch is available.
NOTE: 20221004: Please evalulate, whether the issue can be marked as <ignored>.
--
mbedtls
NOTE: 20220821: Programming language: C.
--
modsecurity-crs
NOTE: 20221006: Programming language: Other.
NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version.
--
mplayer
NOTE: 20221009: Programming language: C.
NOTE: 20221009: Many open CVEs.
--
multipath-tools
NOTE: 20221029: Programming language: C.
NOTE: 20221029: Special attention: root privilege escalation.
--
netatalk
NOTE: 20220816: Programming language: C.
NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor)
--
nginx
NOTE: 20221111: Programming language: C.
NOTE: 20221111: Upcoming DSA + follow fixes from bullseye 11.4 (Beuc/front-desk)
--
node-cached-path-relative
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
--
node-css-what
NOTE: 20221031: Programming language: Javascript.
--
node-eventsource
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.4 (Beuc/front-desk)
--
node-fetch
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
--
node-follow-redirects
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
--
node-got
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.4 (Beuc/front-desk)
--
node-json-schema
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.2 (Beuc/front-desk)
--
node-loader-utils
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk)
--
node-log4js
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.5 (Beuc/front-desk)
--
node-moment
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk)
--
node-nth-check
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
--
node-object-path
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.1 (Beuc/front-desk)
--
node-set-value
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.1 (Beuc/front-desk)
--
node-tar
NOTE: 20220907: Programming language: JavaScript.
--
node-trim-newlines
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
--
node-url-parse
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk)
--
nodejs
NOTE: 20221105: Programming language: Javascript, C/C++, Python
NOTE: 20221105: VCS: https://salsa.debian.org/lts-team/packages/nodejs.git
NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster.
--
ntfs-3g (Thorsten Alteholz)
NOTE: 20221031: Programming language: C.
NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/ntfs-3g.git
--
openexr
NOTE: 20220904: Programming language: C++.
NOTE: 20220904: Should be synced with Stretch. (apo)
--
php-cas
NOTE: 20221105: Programming language: PHP.
NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola)
NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports),
NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk)
NOTE: 20221110: upcoming DSA (Beuc/front-desk)
--
php-phpseclib (Sylvain Beucler)
NOTE: 20220909: Programming language: PHP.
NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. (ola)
NOTE: 20221104: Attempted to clarify vulnerability status (cf. 02cd83d1d917dc5964440185226aa11e40058546) (Beuc)
NOTE: 20221108: buster is missing testsuite in both phpseclib packages, contacted maintainer to decide whether to backport testsuite or just bump version (Beuc)
--
php7.3 (Emilio)
NOTE: 20221031: Programming language: C.
NOTE: 20221031: CVE-2022-37454 is what is of most concern.
--
phpseclib (Sylvain Beucler)
NOTE: 20220909: Programming language: PHP.
NOTE: 20220909: Note the discussion whether 1.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. (ola)
NOTE: 20221104: Attempted to clarify vulnerability status (cf. 02cd83d1d917dc5964440185226aa11e40058546) (Beuc)
NOTE: 20221108: buster is missing testsuite in both phpseclib packages, contacted maintainer to decide whether to backport testsuite or just bump version (Beuc)
--
pluxml
NOTE: 20220913: Programming language: PHP.
NOTE: 20220913: Special attention: orphaned package.
--
protobuf
NOTE: 20221031: Programming language: Several.
NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf.
--
puppet-module-puppetlabs-mysql
NOTE: 20221107: Programming language: Puppet, Ruby.
--
python-django (Chris Lamb)
NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster.
NOTE: 20221018: There are 4 CVEs on the debian/buster branch that are seemingly unreleased: CVE-2020-24583, CVE-2020-24584, CVE-2021-3281 and CVE-2021-23336. (lamby)
NOTE: 20221018: This leaves 8 CVEs that need fixing, either simply because the code is vulnerable or the issue has already been fixed in stretch: CVE-2022-34265, CVE-2022-28346, CVE-2022-23833, CVE-2022-22818, CVE-2021-33571, CVE-2021-33203, CVE-2021-31542 & CVE-2021-28658 (lamby)
NOTE: 20221027: To clarify, only the first CVE mentioned in the previous comment (CVE-2022-34265) is vulnerable and not fixed in stretch, and the other seven have already been fixed in stretch. I plan to fix these remaining 1 CVE and release (with 5 total CVEs) instead of trying to co-ordinate a release with 12 (!) new patches. I can address them later. (lamby)
NOTE: 20221031: Programming language: Python.
NOTE: 20221031: VCS: https://salsa.debian.org/python-team/modules/python-django.git
NOTE: 20221031: Special attention: Chris Lamb is the maintainer.
NOTE: 20221103: Re-added pre-20221031 comments from Git and reclaimed; will upload at least CVE-2022-28346 soon. (lamby)
NOTE: 20221104: Uploaded with three more CVEs: CVE-2022-28346 CVE-2021-45115 CVE-2021-45116 (lamby)
NOTE: 20221115: Will upload shortly with CVE-2021-44420, CVE-2021-45452, CVE-2022-22818 & CVE-2022-23833 (lamby)
--
qemu
NOTE: 20221108: Programming language: C.
NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch,
NOTE: 20221108: there's about half of them that can be fixed (or definitely ignored if we can't) (Beuc/front-desk)
--
r-cran-commonmark
NOTE: 20221009: Programming language: R.
NOTE: 20221009: Please synchronize with ghostwriter.
--
rails
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
NOTE: 20221024: to break thrice in less than 2 month.
--
rainloop
NOTE: 20220913: Programming language: PHP, JavaScript.
NOTE: 20220913: Special attention: orphaned as of 2022-09.
NOTE: 20220913: Upstream appeared dead but there was activity 2 weeks ago,
NOTE: 20220913: a "SnappyMail" fork exists and may have patches we can use,
NOTE: 20220913: also there's an unofficial one for CVE-2022-29360;
NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk)
--
ruby-rails-html-sanitizer
NOTE: 20221102: Programming language: Ruby.
NOTE: 20221102: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git
--
runc
NOTE: 20220905: Programming language: Go.
NOTE: 20220905: Special attention: Sync with Bullseye.
--
salt
NOTE: 20220814: Programming language: Python.
NOTE: 20220814: Packages is not in the supported packages by us.
NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer verion. (Anton)
--
samba
NOTE: 20220904: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git
NOTE: 20220904: Special attention: High popcon! Used in many servers.
NOTE: 20220904: Many postponed or open CVE in general. (apo)
--
snort
NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored.
--
sox
NOTE: 20220818: Programming language: C.
NOTE: 20220818: Requires some investigation; see #1012138 etc.
NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith)
--
thunderbird (Emilio)
--
tiff
NOTE: 20221031: Programming language: C.
NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/tiff.git
--
trafficserver
NOTE: 20220905: Programming language: C.
NOTE: 20221024: WIP, big changeset in security fix (abhijith)
NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith)
NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith)
--
twisted
NOTE: 20221030: Programming language: Python.
--
varnish
NOTE: 20221109: Programming language: C.
NOTE: 20221109: First DLA, 3 minor CVEs to fix (Beuc/front-desk)
--
vim (Helmut)
NOTE: 20221108: Programming language: C.
NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git
--
virglrenderer
NOTE: 20221009: Programming language: C.
--
zabbix
NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too.
--
|