An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To work on a package, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- asterisk NOTE: 20220810: Programming language: C. NOTE: 20220829: Ongoing triaging work. Maybe we should think about syncing NOTE: 20220829: bullseye and buster. (apo) -- bind9 NOTE: 20220925: Programming language: C. -- bluez NOTE: 20220902: Programming language: C. NOTE: 20220902: Consider synchronizing with Stretch. (apo) -- curl NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- exiv2 NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- firmware-nonfree NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. -- frr (Thorsten Alteholz) NOTE: 20220923: Programming language: C. -- gerbv NOTE: 20220923: Programming language: C. -- gdal (Utkarsh) NOTE: 20220913: Programming language: C/C++, Python. NOTE: 20220913: Upcoming DSA (Beuc/front-desk) NOTE: 20220913: 2 CVEs already fixed in stretch&jessie (Beuc/front-desk) -- glibc NOTE: 20220913: Programming language: C, Assembly. NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk) -- golang-1.11 NOTE: 20220916: Programming language: Go. NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk) NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921 -- golang-go.crypto NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) NOTE: 20220915: Special attention: limited support, cf. buster release notes NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1 NOTE: 20220915: Special attention: also check bullseye status -- golang-websocket NOTE: 20220915: Programming language: Go. NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) -- kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- linux (Ben Hutchings) -- mbedtls (Utkarsh) NOTE: 20220821: Programming language: C. -- netatalk (Stefano Rivera) NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- node-tar NOTE: 20220907: Programming language: JavaScript. -- node-thenify (Utkarsh) NOTE: 20220912: Programming language: JavaScript. -- nodejs (Sylvain Beucler) NOTE: 20220801: Programming language: JavaScript, C/C++, Python. NOTE: 20220801: one of the upstream fixes doesn't address the security issue (jmm) NOTE: 20220912: backporting patches and determining testing procedures (Beuc) -- openexr NOTE: 20220904: Programming language: C++. NOTE: 20220904: Should be synced with Stretch. (apo) -- openvswitch NOTE: 20220911: No known patch for this problem. -- php-phpseclib NOTE: 20220909: Programming language: PHP. NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. -- phpseclib NOTE: 20220909: Programming language: PHP. NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. -- pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- python-django NOTE: 20220911: Programming language: Python NOTE: 20220911: There are many minors issues that should be done in a point release. No further point releases for buster. NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster. -- rails (Abhijith PA) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith) NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith) NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith) -- rainloop NOTE: 20220913: Programming language: PHP, JavaScript. NOTE: 20220913: Special attention: orphaned as of 2022-09. NOTE: 20220913: Upstream appeared dead but there was activity 2 weeks ago, NOTE: 20220913: a "SnappyMail" fork exists and may have patches we can use, NOTE: 20220913: also there's an unofficial one for CVE-2022-29360; NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- ruby-nokogiri NOTE: 20220911: Programming language: ruby NOTE: 20220911: CVE-2022-24836 was fixed in stretch so it should be fixed in buster too. -- ruby-sinatra NOTE: 20220911: Programming language: ruby -- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. -- salt NOTE: 20220814: Programming language: Python. NOTE: 20220814: Packages is not in the supported packages by us. NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer verion. (Anton) -- samba NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git NOTE: 20220904: Special attention: High popcon! Used in many servers. NOTE: 20220904: Many postponed or open CVE in general. (apo) -- snort NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. -- sox (Abhijith PA) NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. -- squid NOTE: 20220923: Programming language: C. NOTE: 20220923: CVE-2022-41317 should be not-affected, but CVE-2022-41318 should be an issue, pleae recheck -- thunderbird (Emilio) -- trafficserver NOTE: 20220905: Programming language: C. -- vim NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- webkit2gtk (Emilio) NOTE: 20220921: coordinating update to 2.38 with berto (pochu) -- wireshark NOTE: 20220916: Programming language: C. -- wkhtmltopdf NOTE: 20220904: Programming language: C++. -- wordpress NOTE: 20220911: Programming language: PHP NOTE: 20220911: Further investigation needed to see what parts of 6.0.2 update that applies to buster. -- zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. --