1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
ansible (Markus Koschany)
NOTE: 20210322: As discussed with the maintainer I will update Buster first and
NOTE: 20210322: after that LTS. Will ask for a maintainer review later this week.
--
ceph
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
NOTE: 20210118: wip (Emilio)
--
cgal (Anton Gladky)
--
condor
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola)
--
courier-authlib
NOTE: 20210319: Likely needs collaboration with maintainers. (lamby)
NOTE: 20210329: conversation started already; in midst of staging this
NOTE: 20210329: and getting prepared. The nature of conversation is
NOTE: 20210329: internal and Utkarsh is working on it already. (utkarsh)
--
edk2
--
firmware-nonfree
NOTE: 20201207: wait for the update in buster and backport that (Emilio)
--
golang-github-appc-cni (Thorsten Alteholz)
NOTE: 20210221: also taking care of reverse dependencies
NOTE: 20210221: also taking care of other suites
NOTE: 20210321: still WIP
--
golang-gogoprotobuf
NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby)
NOTE: 20210308: The only explanation I have is that Skippy is a peanut butter brand and the fix is related to a variable called skippy (Ola)
NOTE: 20210308: Patch prepared and available http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch
NOTE: 20210308: If anyone have a good way to regression test the package this information is appreciated.
NOTE: 20210308: If anyone have information on what the result of the missing range check is, that information is also appreciated.
NOTE: 20210318: The generated code is in many other go packages.
NOTE: 20210329: See discussion at https://lists.debian.org/debian-lts/2021/03/msg00011.html
--
gsoap
--
libebml (Thorsten Alteholz)
NOTE: 20210307: testing package
NOTE: 20210321: preparing buster debdiff as well
--
libxstream-java (Markus Koschany)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
opendmarc
NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto)
NOTE: 20210104: wait for other CVEs (abhijith)
--
php-pear (Sylvain Beucler)
--
pillow (Abhijith PA)
NOTE: 20200322: Working on no-DSA tagged CVEs (abhijith)
--
python2.7 (Anton Gladky)
NOTE: 20210316: Same issue as python3.5 immediately below; suggest handled by same maintainer. (lamby)
NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python2.7 (gladk)
--
python3.5 (Anton Gladky)
NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard library. (lamby)
NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python3.5 (gladk)
--
qemu
--
ruby-actionpack-page-caching
NOTE: 20200819: Upstream's patch on does not apply due to subsequent
NOTE: 20200819: refactoring. However, a quick look at the private
NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
NOTE: 20200819: uses the path without normalising any "../" etc., simply
NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
--
ruby-activerecord-session-store
--
ruby-carrierwave
NOTE: 20210320: Will be difficult to backport as code in LTS version appears
NOTE: 20210320: to use primitive Kernel.open to load URIs. (lamby)
--
ruby-doorkeeper
NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh)
NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh)
NOTE: 20200831: more investigation needed. (utkarsh)
NOTE: 20201009: on another note, it needs more investigation if this version is affected in
NOTE: 20201009: the first place or not. (utkarsh)
NOTE: 20201215: includes plaintext secret is not part of source code for stretch but there may be other ways to trigger this (ola)
--
ruby-kaminari
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
NOTE: 20200819: file has been refactored a few times). (lamby)
NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
--
ruby-nokogiri
NOTE: 20210403: CVE-2020-26247: Java-level API not included in stretch but CVE also affects C/Ruby-level APIs;
NOTE: 20210403: check if default change (trust -> don't trust external schemas) possibly breaks compatibility (Beuc)
--
salt (Utkarsh)
NOTE: 20210329: WIP (utkarsh)
--
shiro (Roberto C. Sánchez)
NOTE: 20200920: WIP
NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto)
--
smarty3 (Abhijith PA)
NOTE: 20200322: CVE-2018-13982 need more time to backport (abhijith)
--
spotweb
NOTE: 20201220: The affected code uses string concatenation to construct a SQL query.
NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto)
NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc)
--
subversion (Emilio)
NOTE: 20210322: have a look at #985556 and #948834
--
xmlbeans
NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
NOTE: 20210222: upstream release with the fix). Trying to determine how to
NOTE: 20210222: implement the changes without introducing too much new code. (roberto)
NOTE: 20210309: Have developed a minimal backport that accomplishes necessary security
NOTE: 20210309: fix with minimal new code. (roberto)
--
|