1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
ansible
NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
NOTE: 20200506: (lamby)
NOTE: 20200508: bam: Problem exists with new files only. Existing files
NOTE: 20200508: bam: code resets permissions to same value, should be fine.
NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
--
apache2 (Utkarsh Gupta)
NOTE: 20200501: The problem to solve is this: https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 (Ola)
NOTE: 20200501: No CVE yet. (Ola)
NOTE: 20200510: Asking upstream for CVE assignment. (utkarsh)
--
bluez (Roberto C. Sánchez)
NOTE: 20200521: Uploaded backport (version 5.43-2+deb8u1), which now must go through NEW (roberto)
--
cacti (Abhijith PA)
NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith)
--
condor (Adrian Bunk)
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
--
cups (Anton Gladky)
NOTE: 20200514: Two open <no-dsa> issues. Added on request from Anton Gladky. (sunweaver)
--
drupal7
--
freerdp (Mike Gabriel)
NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby)
--
graphicsmagick
NOTE: 20200514: no upstream patch available, yet, for CVE-2020-12672 (sunweaver)
NOTE: 20200529: still no upstream patch available, yet, for CVE-2020-12672 (roberto)
--
imagemagick (Markus Koschany)
--
libdatetime-timezone-perl
NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto)
--
libmatio (Adrian Bunk)
NOTE: fairly high number of open issues. Not sure why we never had a look at them.
NOTE: triage work needed, help security team for fixes if needed.
NOTE: 20190428: most patches can be applied after context adaption
NOTE: 20190428: all CVEs are from one fuzzing attempt
NOTE: 20190428: some CVE testcases pass on the unpatched version,
NOTE: 20190428: but since the fixes can be made applied the code
NOTE: 20190428: is likely vulnerable
NOTE: 20190428: some CVE testcases still fail after applying the fix,
NOTE: 20190428: older changes seem to also be required for them
NOTE: 20200518: work is ongoing (bunk)
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
mumble
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
--
netqmail (Utkarsh Gupta)
--
nginx (Mike Gabriel)
NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby)
--
nss (Adrian Bunk)
NOTE: 20200521: bug report is not yet public, so probably Jessie is not affected
--
opendmarc (Thorsten Alteholz)
NOTE: 20200511: new CVEs arrived (thorsten)
NOTE: 20200524: testing package
--
php-horde-gollem (Mike Gabriel)
--
php5 (Thorsten Alteholz)
NOTE: 20200427: embedded software "file" needs fix for CVE-2019-18218
NOTE: 20200511: still trying to determine how this CVE affects php
NOTE: 20200524: new CVE arrived (thorsten)
--
python-httplib2 (Abhijith PA)
--
qemu (Adrian Bunk)
NOTE: 20200525: work is ongoing (bunk)
--
sane-backends (Adrian Bunk)
--
sqlite3 (Abhijith PA)
--
squid3 (Markus Koschany)
NOTE: 20200518: Ongoing work on squid3 in Stretch which will be used for Jessie
NOTE: 20200518: and Stretch.
--
sympa (Utkarsh Gupta)
NOTE: 20200525: Incomplete patch. Not the complete patch is made public. (utkarsh)
NOTE: 20200525: But that is weird, given their announcement. (utkarsh)
NOTE: 20200525: More discussion about this has been shared on the list. (utkarsh)
NOTE: 20200525: Anyway, the patch that is made public so far has been uploaded to
NOTE: 20200525: https://people.debian.org/~utkarsh/jessie-lts/sympa/ (utkarsh)
--
tzdata
NOTE: 20200514: LTS update must wait on oldstable update first to prevent newer version in LTS (roberto)
--
unbound (Anton Gladky)
--
xcftools (Anton Gladky)
NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
NOTE: 20200517: work is ongoing. (gladk)
NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
--
xen
NOTE: 20200414: debian-security-support has been updated with EOL status
NOTE: 20200414: and will be uploaded concurrent with next stretch/buster point releases
NOTE: 20200414: c.f., https://lists.debian.org/debian-lts/2020/04/msg00026.html (roberto)
--
|