path: root/data/dla-needed.txt

An LTS security update is needed for the following source packages.

To add a new entry, please coordinate with this week's Front-Desk
person, and use the 'package-operations' LTS tool.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

When checking what packages to work on, use:
$ ./find-work
from the LTS admin repository, to sort packages by priority and
display important notes about the package (special attention, VCS,
testing procedures, programming language, etc.).

To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
ansible
  NOTE: 20231202: Added by Front-Desk (Beuc)
  NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021
  NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to
  NOTE: 20231202: assess/fix the situation.
  NOTE: 20231217: Begin to triage CVEs (rouca)
  NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca)
  NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
--
atril
  NOTE: 20240121: Added by Front-Desk (apo)
  NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead.
--
bind9 (santiago)
  NOTE: 20240218: Added by Front-Desk (lamby)
  NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby)
--
cacti (Sylvain Beucler)
  NOTE: 20230906: Added by Front-Desk (lamby)
  NOTE: 20231205: Triaging CVEs backlog (Beuc)
  NOTE: 20231218: Keep triaging CVEs backlog (Beuc)
  NOTE: 20240102: Triage more CVEs backlog, fix a couple bullseye triage, sync with maintainer (Beuc)
  NOTE: 20240112: No progress as I've been busy on other tasks, but all bugs are minor so far (Beuc)
  NOTE: 20240123: Backport patches, report duplicate to MITRE (CVE-2023-50569) (Beuc)
  NOTE: 20240131: Tidy https://salsa.debian.org/debian/cacti/-/tree/buster?ref_type=heads (Beuc)
  NOTE: 20240219: Backport patches, update patch commits (Beuc)
  NOTE: 20240222: Coordinating with maintainer to prepare bullseye&bookworm updates (Beuc)
  NOTE: 20240222: Reported incomplete fix upstream (Beuc)
  NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc)
--
cairosvg
  NOTE: 20230323: Added by Front-Desk (gladk)
  NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert)
  NOTE: 20240212: Could have side effects, though (#1050643). I'm not going forward with the upload. (dleidert)
--
cinder
  NOTE: 20230525: Added by Front-Desk (lamby)
  NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
composer (rouca)
  NOTE: 20240209: Added by Front-Desk (utkarsh)
  NOTE: 20240304: Need to backport bullseye
--
cpio
  NOTE: 20240303: Added by Front-Desk (apo)
  NOTE: 20240304: Likely no work to do since upstream considers CVE-2023-7216 normal behavior. (bunk)
--
curl
  NOTE: 20231229: Added by Front-Desk (lamby)
  NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby)
  NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21
--
dask.distributed (guilhem)
  NOTE: 20231228: Added by Front-Desk (lamby)
  NOTE: 20231228: CVE-2021-42343 fixed in bullseye via DSA or point release. (lamby)
--
dnsmasq
  NOTE: 20240303: Added by Front-Desk (apo)
--
docker.io
  NOTE: 20230303: Added by Front-Desk (Beuc)
  NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
  NOTE: 20230424: Is in preparation. (gladk)
  NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html
  NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version)
  NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case
--
dogecoin
  NOTE: 20230619: Added by Front-Desk (Beuc)
  NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream,
  NOTE: 20230619: I suggest pinging/coordinating with upstream to know the current status;
  NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
  NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
--
edk2
  NOTE: 20231230: Added by Front-Desk (lamby)
  NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby)
--
exiftags
  NOTE: 20240121: Added by Front-Desk (apo)
--
freeimage
  NOTE: 20240121: Added by Front-Desk (apo)
--
frr (Abhijith PA)
  NOTE: 20231119: Added by Front-Desk (apo)
  NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
  NOTE: 20240301: continue work (abhijith)
--
golang-go.crypto
  NOTE: 20231219: Added by Front-Desk (ta)
--
gtkwave (Adrian Bunk)
  NOTE: 20240116: Added by Front-Desk (lamby)
  NOTE: 20240116: For CVE-2023-32650 etc. (lamby)
--
h2o
  NOTE: 20231228: Added by Front-Desk (lamby)
--
i2p
  NOTE: 20230809: Added by Front-Desk (Beuc)
  NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28
--
imagemagick
  NOTE: 20230622: Added by Front-Desk (Beuc)
  NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk)
  NOTE: 20231014: Some work under git branch debian/buster but unease
  NOTE: 20240227: Made a partial release
--
jenkins-htmlunit-core-js
  NOTE: 20231231: Added by Front-Desk (lamby)
  NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance
  NOTE: 20231231: … suggests that the embedded copy of htmlunit is very old and may
  NOTE: 20231231: … not even support XLST processing. However, it does use the
  NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may
  NOTE: 20231231: … indeed be vulnerable. (lamby)
--
jetty9
  NOTE: 20240303: Added by Front-Desk (apo)
--
knot-resolver
  NOTE: 20231029: Added by Front-Desk (gladk)
--
libapache2-mod-auth-openidc (Chris Lamb)
  NOTE: 20240305: Added by Front-Desk (opal)
--
libcommons-compress-java (Markus Koschany)
  NOTE: 20240303: Added by Front-Desk (apo)
--
libreswan
  NOTE: 20230817: Added by Front-Desk (ta)
  NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
  NOTE: 20230909: https://salsa.debian.org/lts-team/packages/libreswan.git on the experimental
  NOTE: 20230909: branch. Upstream patch for CVE-2023-38710 does not apply at
  NOTE: 20230909: all due to code refactoring. I intend to package the version
  NOTE: 20230909: from Bullseye instead as soon as the maintainer uploads the fix. (apo)
--
libssh
  NOTE: 20231219: Added by Front-Desk (ta)
  NOTE: 20240225: Patches backported, tests pass.  Backports needs review.
  NOTE: 20240225: Re CVE-2023-48795: untested that Terrapin is actually
  NOTE: 20240225: mitigated.  Upstream have provided some input on doing that:
  NOTE: 20240225: <https://archive.libssh.org/libssh/2024-01/0000000.html>
  NOTE: 20240225: (spwhitton).
  NOTE: 20240227: Re CVE-2023-6918: commit 3eb99562 is simply to fix
  NOTE: 20240227: the build.  It is currently unknown whether it is safe.
  NOTE: 20240227: Upstream have provided some feedback on the issue:
  NOTE: 20240227: <https://archive.libssh.org/libssh/2024-02/0000009.html>
  NOTE: 20240227: (spwhitton).
--
libstb
  NOTE: 20231029: Added by Front-Desk (gladk)
  NOTE: 20231029: A lot of open CVEs. Maybe duplicates.
  NOTE: 20231029: If you take a package, please evaluate it as well as its importance.
  NOTE: 20221119: None of the new CVE fixes has been reviewed by upstream so far,
  NOTE: 20221119: and in the past CVE fixes have caused regressions.
  NOTE: 20221119: Wait for upstream merge of fixes (and fixing in unstable). (bunk)
--
libuv1 (Adrian Bunk)
  NOTE: 20240303: Added by Front-Desk (apo)
--
linux (Ben Hutchings)
  NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
--
linux-5.10
  NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
--
lucene-solr
  NOTE: 20240213: Added by Front-Desk (lamby)
--
nodejs (guilhem)
  NOTE: 20240218: Added by Front-Desk (lamby)
--
nova
  NOTE: 20230302: Re-add, request by maintainer (Beuc)
  NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
  NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
  NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
  NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default).
  NOTE: 20230302:  Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo)
  NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected.
  NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely.
  NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
  NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby)
--
nss (tobi)
  NOTE: 20240121: Added by Front-Desk (apo)
  NOTE: 20240209: <tobi> There is currently no (public) patch for CVE-2023-5388 - RedHat seems to have one in private… (tobi)
  NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is unclear which bits are required or if the
  NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version in buster does not have the NIST ciphers
  NOTE: 20240209: in the files touched by the upstream patch. TL;DR: I'm unsure if the prepared patches are fixing the vulnerabilty.
  NOTE: 20240209: The backported patches are in the LTS repository, CVE-2023-6135*.patch </tobi>
  NOTE: 20230227: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there.
--
nvidia-cuda-toolkit
  NOTE: 20230514: Added by Front-Desk (utkarsh)
  NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
  NOTE: 20230514: piled up. (utkarsh)
  NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
  NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
--
nvidia-graphics-drivers
  NOTE: 20240303: Added by Front-Desk (apo)
  NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release?
  NOTE: 20240303: Maybe it's time to mark them EOL?
--
nvidia-graphics-drivers-legacy-390xx
  NOTE: 20240303: Added by Front-Desk (apo)
  NOTE: 20240303: See comment for nvidia-graphics-drivers.
--
putty
  NOTE: 20231224: Added by Front-Desk (ta)
  NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca)
--
python-asyncssh
  NOTE: 20240116: Added by Front-Desk (lamby)
  NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert)
--
python-glance-store
  NOTE: 20230525: Added by Front-Desk (lamby)
  NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
  NOTE: 20230705: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store (jspricke)
  NOTE: 20230705: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. (jspricke)
--
python-os-brick
  NOTE: 20230525: Added by Front-Desk (lamby)
  NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
qemu (Adrian Bunk)
  NOTE: 20240119: Added by Front-Desk (lamby)
  NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or <ignored>. (lamby)
--
rails
  NOTE: 20220909: Re-added due to regression (abhijith)
  NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
  NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
  NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
  NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
  NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
  NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
  NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
  NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
  NOTE: 20221024: to break thrice in less than 2 month.
  NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
  NOTE: 20230828: want to rollout ruby-rack first. (utkarsh)
--
ring
  NOTE: 20230903: Added by Front-Desk (gladk)
  NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
--
runc
  NOTE: 20240204: Added by Front-Desk (ta)
  NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of
  NOTE: 20240219: https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df and
  NOTE: 20240219: https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951.
  NOTE: 20240219: But it uses a link to internal/poll.IsPollDescriptor, introduced in Go 1.12, which I cannot backport (dleidert).
--
samba
  NOTE: 20230918: Added by Front-Desk (apo)
--
sendmail
  NOTE: 20231224: Added by Front-Desk (ta)
  NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches
  NOTE: 20240217: Patch extracted and being reviewed (rouca)
--
squid
  NOTE: 20240109: Added by Front-Desk (apo)
  NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix
  NOTE: 20240109: appears to be intrusive. I could not locate the fix for CVE-2023-49288 yet. (apo)
--
suricata (Adrian Bunk)
  NOTE: 20230620: Added by Front-Desk (Beuc)
  NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie,
  NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored),
  NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk)
  NOTE: 20230714: Still reviewing+testing CVEs. (bunk)
  NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
  NOTE: 20231016: Still reviewing+testing CVEs. (bunk)
  NOTE: 20231120: DLA coming soon. (bunk)
--
tiff (Abhijith PA)
  NOTE: 20231231: Added by Front-Desk (lamby)
  NOTE: 20231231: CVE-2023-3576 already fixed in bullseye via DSA or point release(s). (lamby)
--
tinymce
  NOTE: 20231123: Added by Front-Desk (ola)
  NOTE: 20231216: Someone with more XSS experience needed to assess the
  NOTE: 20231216: severity of CVE-2023-48219.  Also not clear to me that
  NOTE: 20231216: upstream's patch is backportable, as the code has changed a
  NOTE: 20231216: lot.  (spwhitton)
--
tomcat9
  NOTE: 20240121: Added by Front-Desk (apo)
--
varnish
  NOTE: 20231117: Added by Front-Desk (apo)
  NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004
  NOTE: 20231219: Continuing work
  NOTE: 20240108: Backported security fixes and related commits. Fixing test failures. (abhijith)
  NOTE: 20240122: Still fixing tests (abhijith)
  NOTE: 20240213: Fixing tests.(abhijith)
--
yard (Adrian Bunk)
  NOTE: 20240303: Added by Front-Desk (apo)
--
zabbix
  NOTE: 20240212: Added by Front-Desk (utkarsh)
--
zfs-linux
  NOTE: 20231127: Added by Front-Desk (Beuc)
  NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh)
  NOTE: 20240209: I was out last to last week so couldn't process this but it's nearly ready. (utkarsh)
--