An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To work on a package, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- 389-ds-base NOTE: 20220516: Source code is vulnerable to CVE-2022-0996. The package do not have a large install base so the NOTE: 20220516: priority of fixing is probably low. -- amd64-microcode -- asterisk (Abhijith PA) NOTE: 20220424: programming language C -- avahi NOTE: 20220523: Harmonize with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk) -- cgal NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton) -- ckeditor (Sylvain Beucler) NOTE: 20220402: multiple pendings vulnerabilities (Beuc/front-desk) NOTE: 20220510: no rdeps, no sponsors, most CVEs require following upstream stable 4.x, NOTE: 20220510: considering either ignoring, or mass-bumping all dists, NOTE: 20220510: waiting for ckeditor_3_ discussion to close up first (Beuc) NOTE: 20220510: https://lists.debian.org/debian-lts/2022/05/msg00018.html -- clamav (Emilio) NOTE: 20220510: Programming language C. (apo) -- curl (Emilio) NOTE: 20220510: Programming language C. -- cyrus-imapd NOTE: 20220523: Harmonize with DSA-4590-1 and Debian 10.11 (2 CVEs) (Beuc/front-desk) -- debian-security-support (Utkarsh) NOTE: 20220402: need to update the list of unsupported packages (Beuc/front-desk) NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc/front-desk) NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg00000.html (Beuc/front-desk) NOTE: 20220502: backport prepped, will contact Holger for more details. (utkarsh) NOTE: 20220516: in review, will also co-help Holger to maintain this. (utkarsh) -- dpdk NOTE: 20220523: Harmonize with Debian 10.7 (5 CVEs) (Beuc/front-desk) -- exempi NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis NOTE: 20220517: is needed. -- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag NOTE: 20211207: Intend to release this week. -- freerdp NOTE: 20220525: ~40 minor CVEs, consider coordinating with maintainer and/or secteam to do the same in freerdp2/buster (Beuc/front-desk) -- gerbv NOTE: 20220321: WIP https://salsa.debian.org/lts-team/packages/gerbv (Anton) NOTE: 20220326: CVE-2021-40401 is fixed https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch (Anton) NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton) -- glib2.0 NOTE: 20220523: Harmonize with Debian 10.10 (3 CVEs) (Beuc/front-desk) -- golang-go.crypto NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc/front-desk) -- haproxy NOTE: 20220523: Harmonize with Debian 10.0 and 10.6 (3 CVEs) (Beuc/front-desk) -- horizon NOTE: 20220523: Harmonize with DSA-4820-1 (1 CVE) (Beuc/front-desk) NOTE: 20220523: part of OpenStack (Beuc/front-desk) -- icingaweb2 (Abhijith PA) NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith) NOTE: 20220522: Pinged upstream for missing patches. Will write an detail NOTE: 20220522: email about situation (abhijith) -- intel-microcode NOTE: 20220213: please recheck -- isync NOTE: 20220523: Harmonize with Debian 10.10 and possibly 11.2 (3 CVEs) (Beuc/front-desk) -- kvmtool NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk) NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk) -- lemonldap-ng NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk) -- libdbi-perl NOTE: 20220523: Harmonize with Debian 10.8 (CVE-2014-10402 is a follow-up to CVE-2014-10401 NOTE: 20220523: which was fixed before stretch, buster's debian/changelog is incorrect) (Beuc/front-desk) -- libjpeg-turbo NOTE: 20220523: Harmonize with Debian 10.7 (only 1 CVE but last NOTE: 20220523: stretch update back in 2020 and possible RCE) (Beuc/front-desk) -- liblouis NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo, NOTE: 20220503: Patch not applied upstream yet. -- libvirt (Thorsten Alteholz) NOTE: 20220522: testing package -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- mailman NOTE: 20220523: Harmonize with Debian 10.12 (3 CVEs, regression fixes) (Beuc/front-desk) -- manila NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) (Beuc/front-desk) NOTE: 20220523: part of OpenStack (Beuc/front-desk) -- mariadb-10.1 NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton) -- mbedtls (Utkarsh) NOTE: 20220404: update prepared, needs testing. (utkarsh) NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh) NOTE: 20220502: will upload with 1 fix and mark the other one NOTE: 20220502: as no-dsa today/tomorrow. (utkarsh) NOTE: 20220516: helf off upload to see if the other one should NOTE: 20220516: be squeezed in. waiting on -pu. (utkarsh) -- modsecurity-apache (Chris Lamb) NOTE: 20220524: Harmonize with DSA-5023-1 (1 CVE) (Beuc/front-desk) -- modsecurity-crs NOTE: 20220524: Harmonize with Debian 10.2 and 10.11 (2 CVEs) (Beuc/front-desk) -- mysql-connector-java (Markus Koschany) NOTE: 20220512: Requires a new upstream version. (apo) -- ncurses NOTE: 20220524: Harmonize with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk) -- ntfs-3g NOTE: 20220515: Please recheck. There are currently not enough information NOTE: available. (apo) -- nvidia-cuda-toolkit NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc/front-desk) -- nvidia-graphics-drivers NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc/front-desk) NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential NOTE: 20220209: backport (apo) -- openscad NOTE: 20220524: Harmonize with Debian 10.12 (1 CVE) (Beuc/front-desk) NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk) -- pam-u2f NOTE: 20220524: Harmonize with Debian 10.1 (2 CVEs + some non-CVE'd fixes) (Beuc/front-desk) -- pdns NOTE: 20220402: harmonize with buster/10.8 (Beuc/front-desk) NOTE: 20220506: buster patches backported in https://salsa.debian.org/enrico/pdns/-/tree/stretch NOTE: 20220506: and #debian-dns notified (enrico) NOTE: 20220506: the patch for https://security-tracker.debian.org/tracker/CVE-2022-27227 NOTE: 20220506: would need to be completely rewritten for the stretch codebase (enrico) NOTE: 20220506: package builds but does not run a test suite, and I lack the NOTE: 20220506: know-how for testing manually (enrico) -- pjproject -- plinth NOTE: 20220524: Harmonize with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk) -- pngcheck NOTE: 20220524: Harmonize with Debian 10.8 (1 CVE) (Beuc/front-desk) -- postgresql-9.6 NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk) NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk) NOTE: 20220523: Christoph Berg won't handle this update (Beuc/front-desk) NOTE: 20220523: https://lists.debian.org/debian-lts/2022/05/msg00054.html -- puppet-module-puppetlabs-firewall NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk) -- redis (Chris Lamb) NOTE: 20220510: Chris Lamb is the maintainer. Programming language C. (apo) -- request-tracker4 NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk) -- ring NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) NOTE: 20220404: a network error (abhijith) NOTE: 20220506: Pinged maintainer team and maintainer (abhijith) NOTE: 20220526: Re pinged Debian maintainer and Pinged upstream for help. (abhijith) -- ros-ros-comm NOTE: 20220524: Harmonize with Debian 10.7 and 10.12 (2 CVEs) (Beuc/front-desk) -- ruby-devise-two-factor NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result NOTE: 20220427: of an incomplete fix to CVE-2015-7225. Will require some investigation. (lamby) NOTE: 20220502: should be marked as no-dsa; will send more details on the list. (utkarsh) -- salt -- samba NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton) NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) NOTE: 20220125: ftbfs, wip. (utkarsh) -- sleuthkit NOTE: 20220524: Harmonize with Debian 10.0 and 10.7 (2 CVEs) (Beuc/front-desk) -- slurm-llnl (Thorsten Alteholz) NOTE: 20220516: Checking the code it looks like the patches will apply so the code is clearly vulnerable. -- snapd NOTE: 20220308: seems vulnerable at least to setup_private_mount, NOTE: 20220308: but double check (pochu) -- sox NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton) NOTE: 20220326: https://salsa.debian.org/lts-team/packages/sox NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton) -- spip -- subversion (Roberto C. Sánchez) NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment) NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby) NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to test it, mailed results to Roberto C. Sánchez (enrico) NOTE: 20220525: Based on the results of Enrico's analysis and some further work, I was able to have the test execute reliably (roberto) NOTE: 20220525: The test passes, which seems to indicate that the vulnerability does not affect 1.9.5 (roberto) NOTE: 20220525: I have asked Enrico to replicate my findings (roberto) -- systemd NOTE: 20220524: CVE-2020-1712 marked for update but didn't make it to 9.13 NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but at the NOTE: 20220524: same time is severe and was fixed in other old distros (Beuc/front-desk) -- tiff (Utkarsh) NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff. NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh) NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh) NOTE: 20220502: will collate the new CVEs and update the package. (utkarsh) NOTE: 20220513: more CVEs, ugh. Probably will consider rolling out the ones NOTE: 20220513: that are already applied and tested and re-add tiff here. (utkarsh) -- ublock-origin NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk) -- unzip NOTE: 20220319: no patches yet but reproducible (apo) NOTE: 20220429: CVE-2022-0530: reported #1010355 with a proposed patch (enrico) NOTE: 20220429: CVE-2022-0529: sent a proposed patch to sanvila and team@s.d.o (enrico) -- vlc NOTE: 20220524: Consider bumping to 3.12 (or later) as in DSA-4834-1 (Beuc/front-desk) -- zipios++ (Thorsten Alteholz) NOTE: 20220524: Harmonize with Debian 10.5 (1 CVE) (Beuc/front-desk) --