1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
amd64-microcode
NOTE: 20210831: no binary package was built, possibly due to non-free-specific rules
NOTE: 20210831: https://lists.debian.org/debian-lts/2021/08/msg00033.html
NOTE: 20210831: needs to be fixed (Beuc)
--
ansible (Lee Garrett)
NOTE: 20210411: As discussed with the maintainer I will update Buster first and
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
cacti (Roberto C. Sánchez)
NOTE: 20210829: not really sure whether affected, please recheck
NOTE: 20210914: still assessing whether or not affected (roberto)
--
debian-archive-keyring (Utkarsh)
NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
--
firmware-nonfree
NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
--
gnutls28 (Sylvain Beucler)
NOTE: 20210910: https://lists.debian.org/debian-lts/2021/09/msg00008.html
--
grilo (Thorsten Alteholz)
NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 2.38
NOTE: 20210912: maintainer ok, testing package
--
krb5 (Adrian Bunk)
NOTE: 20210905: testing fixes
--
libxstream-java (Anton Gladky)
NOTE: 20210901: See thread at https://www.mail-archive.com/debian-lts@lists.debian.org/msg09588.html
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mosquitto
NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp)
NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp)
--
mupdf (Anton Gladky)
NOTE: 20210817: fix for CVE-2020-19609 and CVE-2021-37220 in buster are to be put into a point release.
--
nettle (Markus Koschany)
NOTE: 20210719: difficult backport, wip (Emilio)
NOTE: 20210913: CVE-2021-20305 has been fixed, the fix for CVE-2021-3580 is
NOTE: almost complete.
--
ntfs-3g (Abhijith PA)
--
nvidia-graphics-drivers
NOTE: package is in non-free but also in packages-to-support
NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
--
openssl (Thorsten Alteholz)
NOTE: 20210912: testing package, upload probably after LE fix
--
openssl1.0 (Thorsten Alteholz)
NOTE: 20210912: testing package, upload probably after LE fix
--
plib
NOTE: 20210829: no fix yet. (thorsten)
NOTE: 20210829: upstream bug mentions that it might never get fixed. (utkarsh)
--
python-babel
NOTE: 20210617: CVE-2021-20095 withdrawn, cf. 251b6e33 and #987824 (abhijith)
NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
NOTE: 20210620: Revisit when it has an assigned CVE ID (abhijith)
--
qtbase-opensource-src (Utkarsh)
NOTE: 20210914: needs further checking for vulnerability. (utkarsh)
--
ruby-kaminari
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
NOTE: 20200819: file has been refactored a few times). (lamby)
NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
NOTE: 20210719: https://people.debian.org/~apo/lts/ruby-kaminari/CVE-2020-11082.patch
NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari.
NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly.
--
ruby2.3 (Utkarsh)
NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh)
NOTE: 20210816: wip, backporting patches; a bit hard. (utkarsh)
--
rustc
NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable
NOTE: https://bugs.debian.org/928422
NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk)
--
salt
NOTE: 20210329: WIP (utkarsh)
NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh)
NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh)
NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh)
NOTE: 20210816: will test the provided debdiff; needs testing as regression spotted. (utkarsh)
--
smarty3 (Abhijith PA)
NOTE: 20210829: Track regression (abhijith)
NOTE: 20210906: prepared a build for testing. Waiting for bug submitter's reply (abhijith)
--
tiff (Utkarsh)
--
|
