An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- ansible (Lee Garrett) NOTE: 20210411: As discussed with the maintainer I will update Buster first and NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) NOTE: 20211003: waiting for Jonathan to get back as his keys NOTE: 20211003: seemed to have expired and the build is thus NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh) NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- firefox-esr (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) -- firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag -- gerbv (Anton) NOTE: 20211107: The fix has only one-line! But... be sure that the fix will help. (Anton) NOTE: 20211107: Please take the package if you can reproduce the issue with valgrind/AddressSanitizer/Leaksanitizer (Anton) NOTE: 20211107: The simple fix will unlikely help. (Anton) NOTE: 20211121: Still needs to be investigated with extra-tool. (Anton) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/gmp/ -- gmp (Anton) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/gmp/ -- gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) -- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed NOTE: 20211029: for jessie in DLA-1477-1 and should also be fixed in stretch NOTE: 20211029: 4 other CVEs might also be worth fixing (bunk) NOTE: 20211029: taking this with my maintainer hat on; will investigate NOTE: 20211029: and TAL later next week. (utkarsh) NOTE: 20211116: backports prepped; checking build and smoke-testing package. (utkarsh) -- librecad (Sylvain Beucler) NOTE: 20211127: also take care of other suites -- libssh2 (Ola Lundqvist) NOTE: 20211031: CVE-2019-13115 and CVE-2019-17498 were fixed in jessie DLAs NOTE: 20211031: but still need fixing in stretch and buster. (bunk) NOTE: 20211116: Work in progress for stretch. (ola) -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- nvidia-graphics-drivers NOTE: package is in non-free but also in packages-to-support NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm NOTE: 20211108: now fixes all 5 CVEs (bunk) -- opensc (Adrian Bunk) -- pgbouncer (Thorsten Alteholz) NOTE: 20211128: also help with other releases -- puppet NOTE: please recheck whether really affected -- roundcube (Markus Koschany) -- rsync (Adrian Bunk) -- rustc (Roberto C. Sánchez) NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable NOTE: https://bugs.debian.org/928422 NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk) NOTE: 20211101: working on llvm-toolchain-11 update, which is needed by rustc (roberto) NOTE: 20211112: llvm-toolchain-11 update is now uploaded (roberto) -- samba (Anton) NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ -- thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) -- wireshark (Adrian Bunk) NOTE: 20211119: Check https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55b7eff90db8487e20106c2c09e61293a477e89 (lamby) --