An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
ansible
  NOTE: 20210411: As discussed with the maintainer I will update Buster first and
  NOTE: 20210411: after that LTS. (apo)
  NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
bind9 (Markus Koschany)
--
botan1.10 (Anton Gladky)
  NOTE: 20211101: almost ready to be uploaded (gladk)
--
debian-archive-keyring
  NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
  NOTE: 20210920: Raphael answered. will backport today. (utkarsh)
  NOTE: 20211003: waiting for Jonathan to get back as his keys
  NOTE: 20211003: seemed to have expired and the build is thus
  NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh)
  NOTE: 20211018: Jonathan is prepping the branch; will work
  NOTE: 20211018: with him and upload and publish the DLA. (utkarsh)
--
exiv2 (Thorsten Alteholz)
  NOTE: 20211024: WIP, not yet finished
--
ffmpeg (Anton Gladky)
  NOTE: probably wait until stuff is fixed in Buster
  NOTE: 20211010: WIP https://salsa.debian.org/lts-team/packages/ffmpeg
  NOTE: ffmpeg 3.2.16 has been released
  NOTE: 20211101: preparing an update (gladk)
--
firefox-esr (Emilio)
--
firmware-nonfree
  NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
  NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
--
glusterfs (Markus Koschany)
  NOTE: 20211029: 15 CVEs that were fixed in jessie in DLA-1510-1 and DLA-1565-1
  NOTE: 20211029: should also be fixed in stretch (bunk)
--
gpac (Roberto C. Sánchez)
  NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto)
--
libgit2 (Utkarsh)
  NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed
  NOTE: 20211029: for jessie in DLA-1477-1 and should also be fixed in stretch
  NOTE: 20211029: 4 other CVEs might also be worth fixing (bunk)
  NOTE: 20211029: taking this with my maintainer hat on; will investigate
  NOTE: 20211029: and TAL later next week. (utkarsh)
--
libssh2 (Ola Lundqvist)
  NOTE: 20211031: CVE-2019-13115 and CVE-2019-17498 were fixed in jessie DLAs
  NOTE: 20211031: but still need fixing in stretch and buster. (bunk)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
ntfs-3g (Anton Gladky)
  NOTE: 20211101: too many CVEs (gladk)
--
nvidia-graphics-drivers
  NOTE: package is in non-free but also in packages-to-support
  NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
--
openjdk-8 (Roberto C. Sánchez)
  NOTE: 20211101: coordinating with maribilos, waiting on upstream to finalize tags (roberto)
--
openssh
  NOTE: 20211003: a backporting error for CVE-2018-15473 was reported in
  NOTE: 20211003: Ubuntu (and can see the same code differences here);
  NOTE: 20211003: check if that needs to be fixed; talking to -security.
  NOTE: 20211003: also CVE-2021-41617 is new; might be a good idea to
  NOTE: 20211003: club both these together. (utkarsh)
  NOTE: 20211018: the regression doesn't happen for stretch; looking at
  NOTE: 20211018: the other bit. (utkarsh)
--
python3.5 (Utkarsh)
  NOTE: 20211003: whilst looks like a no-dsa/postponed candidate on a
  NOTE: 20211003: quick look, Canonical issued an update via the ESM
  NOTE: 20211003: pocket. Needs another look. (utkarsh)
--
redis (Chris Lamb)
  NOTE: 20211004: Fixed in sid and experimental. (lamby)
  NOTE: 20211006: buster-pu filed in #995825. (lamby)
  NOTE: 20211026: Waiting for input from SRM / security team. (lamby)
--
rustc (Roberto C. Sánchez)
  NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable
  NOTE: https://bugs.debian.org/928422
  NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk)
  NOTE: 20211101: working on llvm-toolchain-11 update, which is needed by rustc (roberto)
--
salt (Markus Koschany)
  NOTE: 20210329: WIP (utkarsh)
  NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh)
  NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh)
  NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh)
  NOTE: 20210816: will test the provided debdiff; needs testing as regression spotted. (utkarsh)
--
thunderbird (Emilio)
--