A wheezy-lts security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- ca-certificates NOTE: 2017-03-27: maintainer will handle the upload, see https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8839@pbandjelly.org NOTE: 2017-05-12: Pinged the maintainer -- Raphael Hertzog -- eglibc NOTE: Patch available, however not yet applied upstream. -- firefox-esr (Emilio Pozuelo) -- imagemagick (Roberto C. Sánchez) NOTE: Fixes for CVE-2017-9261, CVE-2017-9262, CVE-2017-9405, CVE-2017-9407, NOTE: CVE-2017-9409, CVE-2017-9439, CVE-2017-9500, and CVE-2017-9501 have been NOTE: applied and pushed to the LTS Git repository for ImageMagick NOTE: (https://anonscm.debian.org/git/collab-maint/debian-lts/imagemagick.git) NOTE: CVE-2017-9440 and CVE-2017-9499 do not affect wheezy NOTE: Once more issues appear or sufficient time has passed, I will upload -- irssi NOTE: Maintainer plan to do the update. The issue is not urgent according to NOTE: the maintainer. -- jasper (Thorsten Alteholz) NOTE: 20170528, no patch available for the remaining CVEs yet, pinged upstream -- jbig2dec (Thorsten Alteholz) NOTE: other no-dsa CVE issue open that might be worth fixing NOTE: jessie has the same version -- jython (Markus Koschany) -- libarchive NOTE: I suggest to wait for more issues. Could not find more information NOTE: about the undetermined CVEs. Debdiff is at: NOTE: https://people.debian.org/~apo/libarchive/libarchive.debdiff -- libav NOTE: Diego Biurrun (from the libav team) is working on patches. NOTE: undetermined issues are currently being triaged (Diego Biurrun and Hugo Lefeuvre NOTE: have access to the original reproducers) -- libraw (Emilio Pozuelo) NOTE: Maintainer contacted 2017-06-05. -- libreoffice (Emilio Pozuelo) NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html -- libxml2 (Thorsten Alteholz) NOTE: 20170528, patches suggested but not accepted, bugs not yet public -- libytnef (Thorsten Alteholz) NOTE: 20170528, patches missing -- linux -- mcollective NOTE: See https://lists.debian.org/debian-lts/2017/03/msg00008.html -- mercurial -- mupdf -- mysql-connector-python NOTE: No patch to apply. Upstream has released new upstream version 2.1.6 NOTE: with claimed fixes. Diff from prior version is 2198 lines long and NOTE: has 8 different bugs fixed. Only 2 reverse dependancies: NOTE: mysql-utilities and mysql-workbench. -- openexr -- postgresql-9.1 (Christoph Berg) NOTE: maintainer will give it a try tomorrow (2017-05-28) -- puppet NOTE: 2017-06-01: Seems to be at puppet/indirector/catalog/compiler.rb (line 25), NOTE: 2017-06-01: however I don't know whether pson is the only supported format NOTE: 2017-06-01: in this older version of puppet. -- lamby@d.o -- qemu (Guido Günther) -- qemu-kvm (Guido Günther) NOTE: Investigating CVE-2017-2633 -- samba (Hugo Lefeuvre) NOTE: Trying to reproduce CVE-2017-9461 in the wheezy version -- smb4k (Markus Koschany) NOTE: https://lists.debian.org/debian-lts/2017/06/msg00078.html -- sudo NOTE: this is about https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd NOTE: which might well be fixed once more issues piled up -- swftools (Thorsten Alteholz) NOTE: 20170528, one upstream fix is not yet complete -- tomcat7 (Markus Koschany) -- trafficserver NOTE: maintainer contacted 2017-04-26 NOTE: reproducer doesn't crash server in a test VM - ? --anarcat -- wireshark NOTE: maintainer *may* take care of this, as previously -- wordpress -- xbmc NOTE: Reproduced: https://lists.debian.org/debian-lts/2017/04/msg00025.html NOTE: no upstream fix, may require refactoring -- xen -- yaml-cpp NOTE: fix sent upstream, waiting for review -- zoneminder NOTE: Sql injection and session fixation vulerability fixes: NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1764/files NOTE: No CVE assigned. -- zziplib (Thorsten Alteholz) --