1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
activemq (Abhijith PA)
NOTE: 20210301: Build available https://people.debian.org/~abhijith/upload/vda/activemq_5.14.3-3+deb9u2.dsc
--
ansible (Markus Koschany)
20210215: As discussed with the maintainer I will update Buster first and
20210215: after that LTS.
--
ceph
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
NOTE: 20210118: wip (Emilio)
--
condor
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola)
--
dnsmasq
NOTE: 20210208: wip; difficult to backport the patches. (utkarsh)
--
firmware-nonfree
NOTE: 20201207: wait for the update in buster and backport that (Emilio)
--
glib2.0 (Emilio)
--
golang-1.7 (Sylvain Beucler)
--
golang-1.8 (Sylvain Beucler)
--
golang-github-appc-cni (Thorsten Alteholz)
NOTE: 20210221: also taking care of reverse dependencies
--
golang-gogoprotobuf (Ola Lundqvist)
NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby)
--
grub2
NOTE: 20210303: Suggestion from Salvatore: Handle this in same way as for BootHole in stretch, there is no Secure Boot
NOTE: 20210303: that is "[stretch] - grub2 <ignored> (No SecureBoot support in stretch)"
NOTE: 20210303: asked for further clarification from Salvatore. (utkarsh)
--
gsoap
--
guacamole-server (Anton Gladky)
NOTE: 20210217: Note may affect guacamole-client too (see note on security tracker). (lamby)
NOTE: 20210302: Contacted upstream. server is not affected at all, only client. (gladk)
--
jackson-dataformat-cbor (Abhijith PA)
--
libebml (Thorsten Alteholz)
NOTE: 20210221: testing package
--
libupnp
NOTE: 20210302: since utkarsh working wpa, might want to handle this as well ? (abhijith)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mupdf
--
mqtt-client (Abhijith PA)
NOTE: 20210303: fix for CVE-2019-0222 needed for activemq. I will upload along with activemq (abhijith)
--
opendmarc
NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto)
NOTE: 20210104: wait for other CVEs (abhijith)
--
php-pear (Ola Lundqvist)
--
python3.5
NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard library. (lamby)
--
qemu
--
ruby-actionpack-page-caching
NOTE: 20200819: Upstream's patch on does not apply due to subsequent
NOTE: 20200819: refactoring. However, a quick look at the private
NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
NOTE: 20200819: uses the path without normalising any "../" etc., simply
NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
--
ruby-doorkeeper
NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh)
NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh)
NOTE: 20200831: more investigation needed. (utkarsh)
NOTE: 20201009: on another note, it needs more investigation if this version is affected in
NOTE: 20201009: the first place or not. (utkarsh)
NOTE: 20201215: includes plaintext secret is not part of source code for stretch but there may be other ways to trigger this (ola)
--
ruby-kaminari
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
NOTE: 20200819: file has been refactored a few times). (lamby)
NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
--
shiro
NOTE: 20200920: WIP
NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto)
--
spotweb
NOTE: 20201220: The affected code uses string concatenation to construct a SQL query.
NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto)
NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc)
--
subversion (Thorsten Alteholz)
NOTE: 20210221: solving build problems
--
tomcat7 (Utkarsh)
--
tomcat8 (Anton Gladky)
--
xmlbeans (Roberto C. Sánchez)
NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
NOTE: 20210222: upstream release with the fix). Trying to determine how to
NOTE: 20210222: implement the changes without introducing too much new code. (roberto)
--
zeromq3 (Anton Gladky)
--
|