summaryrefslogtreecommitdiffstats
path: root/data/dla-needed.txt
blob: 39d0d2eb08e4896ce536e09d928f37073c942952 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
aide
--
ansible
  NOTE: 20210411: As discussed with the maintainer I will update Buster first and
  NOTE: 20210411: after that LTS. (apo)
  NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
apache2 (Anton)
  NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton)
--
apng2gif
  NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie
  NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk)
--
debian-archive-keyring
  NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
  NOTE: 20210920: Raphael answered. will backport today. (utkarsh)
  NOTE: 20211003: waiting for Jonathan to get back as his keys
  NOTE: 20211003: seemed to have expired and the build is thus
  NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh)
  NOTE: 20211018: Jonathan is prepping the branch; will work
  NOTE: 20211018: with him and upload and publish the DLA. (utkarsh)
--
expat (Markus Koschany)
--
firmware-nonfree
  NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
  NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
  NOTE: 20211207: Intend to release this week.
--
flatpak
  NOTE: 20220113: upcoming DSA; non-trivial backport (Beuc)
--
gif2apng
  NOTE: 20220114: orphaned package with inactive upstream, maybe coordinate with Debian QA to write our own patches (Beuc)
  NOTE: 20220114: CVEs unrelated to apng2gif's (Beuc)
--
golang-1.7 (Sylvain Beucler)
  NOTE: 20220114: harmonize with bullseye-11.2 (CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717) (Beuc)
--
golang-1.8 (Sylvain Beucler)
  NOTE: 20220114: harmonize with bullseye-11.2 (CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717) (Beuc)
--
gpac (Roberto C. Sánchez)
  NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto)
  NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)
  NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto)
--
guacamole-client
  NOTE: 20220114: package unmaintained AFAICS and only present in stretch (Beuc)
--
libarchive (Thorsten Alteholz)
  NOTE: 20220102: testing package
  NOTE: 20220116: waiting for upload in higher releases
--
libgit2 (Utkarsh)
  NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed
  NOTE: 20211029: for jessie in DLA-1477-1 and should also be fixed in stretch
  NOTE: 20211029: 4 other CVEs might also be worth fixing (bunk)
  NOTE: 20211029: taking this with my maintainer hat on; will investigate
  NOTE: 20211029: and TAL later next week. (utkarsh)
  NOTE: 20211116: backports prepped; checking build and smoke-testing package. (utkarsh)
  NOTE: 20211129: readied up everything, using pygit and other wrappers
  NOTE: 20211129: around which the code changed. will upload in the next 2 days. (utkarsh)
  NOTE: 20220110: waiting on upstream to get feedback. (utkarsh)
--
libraw (Abhijith PA)
  NOTE: 20211227: 7 CVEs that were fixed for jessie in  DLA-1734-1 are unfixed
  NOTE: 20211227: in stretch, plenty other unfixed CVEs (bunk)
  NOTE: 20220117: Fixed CVEs other than DLA-1734-1 (abhijith)
--
libspf2 (Thorsten Alteholz)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
pgbouncer (Christoph Berg)
  NOTE: 20220104: maintainer might want to upload fixed version
--
pillow (Emilio)
--
pjproject
  NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu)
--
prosody
  NOTE: 20220114: upcoming DSA (Beuc)
--
python2.7 (Anton)
  NOTE: 20220112: 3 postponed CVEs (Beuc)
--
qt4-x11 (Utkarsh)
  NOTE: 20220112: 2 SVG CVEs (CVE-2021-45930,CVE-2021-34812) to fix in both qtsvg-opensource-src and qt4-x11 (Beuc)
--
samba (Utkarsh Gupta)
  NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
  NOTE: 20211212: Fix is too large, coordination with ELTS-upload
  NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
--
vim (Emilio)
--
zabbix
--

© 2014-2022 Faster IT GmbH | imprint | privacy policy