An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ansible NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666 NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable. NOTE: 20200506: (lamby) NOTE: 20200508: bam: Problem exists with new files only. Existing files NOTE: 20200508: bam: code resets permissions to same value, should be fine. NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970 NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- apache2 (Utkarsh Gupta) NOTE: 20200501: The problem to solve is this: https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 (Ola) NOTE: 20200501: No CVE yet. (Ola) NOTE: 20200510: Asking upstream for CVE assignment. (utkarsh) -- bind9 (Thorsten Alteholz) -- bluez (Roberto C. Sánchez) NOTE: 20200521: Uploaded backport (version 5.43-2+deb8u1), which now must go through NEW (roberto) -- cacti -- condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) -- cups (Anton Gladky) NOTE: 20200514: Two open issues. Added on request from Anton Gladky. (sunweaver) -- freerdp NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) -- graphicsmagick (Roberto C. Sánchez) NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 (sunweaver) -- imagemagick (Markus Koschany) -- json-c (Mike Gabriel) NOTE: 20200514: json-c is currently orphaned, so possibly fix (old)stable, too? (sunweaver) -- libdatetime-timezone-perl NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) -- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. NOTE: 20190428: most patches can be applied after context adaption NOTE: 20190428: all CVEs are from one fuzzing attempt NOTE: 20190428: some CVE testcases pass on the unpatched version, NOTE: 20190428: but since the fixes can be made applied the code NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them NOTE: 20200518: work is ongoing (bunk) -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- mumble (Abhijith PA) NOTE: 20200325: Regression in last upload, forgot to follow up. NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith) NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith) -- netqmail (Utkarsh Gupta) -- nginx (Mike Gabriel) NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby) -- nss NOTE: 20200521: bug report is not yet public, so probably Jessie is not affected -- opendmarc (Thorsten Alteholz) NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten) NOTE: 20200511: new CVEs arrived (thorsten) -- php5 (Thorsten Alteholz) NOTE: 20200427: embedded software "file" needs fix for CVE-2019-18218 NOTE: 20200511: still trying to determine how this CVE affects php -- qemu (Adrian Bunk) NOTE: 20200511: work is ongoing (bunk) -- salt (Abhijith PA) NOTE: 20200501: Upstream fix for CVE-CVE-2020-11651 causes a regression. Should be fixed too. (Ola) NOTE: 20200518: WIP (abhijith) -- squid3 (Markus Koschany) NOTE: 20200518: Ongoing work on squid3 in Stretch which will be used for Jessie NOTE: 20200518: and Stretch. -- tomcat7 (Chris Lamb) -- tomcat8 (Markus Koschany) NOTE: 20200521: One patch resulted to have a bug that had to be fixed; new CVE also released. (roberto) -- transmission (Thorsten Alteholz) -- tzdata NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto) -- unbound (Anton Gladky) -- xcftools (Anton Gladky) NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby) NOTE: 20200517: work is ongoing. (gladk) -- xen NOTE: 20200414: debian-security-support has been updated with EOL status NOTE: 20200414: and will be uploaded concurrent with next stretch/buster point releases NOTE: 20200414: c.f., https://lists.debian.org/debian-lts/2020/04/msg00026.html (roberto) --