1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
An LTS security update is needed for the following source packages.
To add a new entry, please coordinate with this week's Front-Desk
person, and use the 'package-operations' LTS tool.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
When checking what packages to work on, use:
$ ./find-work
from the LTS admin repository, to sort packages by priority and
display important notes about the package (special attention, VCS,
testing procedures, programming language, etc.).
To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
amanda (Thorsten Alteholz)
NOTE: 20230730: Added by Front-Desk (apo)
NOTE: 20230827: still testing package (ta)
--
aom (Markus Koschany)
NOTE: 20230823: Added by Front-Desk (apo)
--
c-ares (Utkarsh)
NOTE: 20230826: Added by Front-Desk (utkarsh)
NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this one. Will look thoroughly. (utkarsh)
--
cairosvg
NOTE: 20230323: Added by Front-Desk (gladk)
NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)
--
cinder
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
clamav (Utkarsh)
NOTE: 20230821: Added by Front-Desk (ta)
--
docker.io
NOTE: 20230303: Added by Front-Desk (Beuc)
NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
NOTE: 20230424: Is in preparation. (gladk)
NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html
NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version)
--
dogecoin
NOTE: 20230619: Added by Front-Desk (Beuc)
NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream,
NOTE: 20230619: I suggest pinging/coordinating with upstream to know the current status;
NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
--
firmware-nonfree
NOTE: 20230820: Added by Front-Desk (ta)
--
flac
NOTE: 20230827: Added by Front-Desk (utkarsh)
NOTE: 20230827: incoming DSA
--
flask-security (Sean Whitton)
NOTE: 20230811: Added by Front-Desk (Beuc)
NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/37
NOTE: 20230811: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk)
--
freeimage
NOTE: 20230826: Added by Front-Desk (utkarsh)
NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the
NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll
NOTE: 20230826: out the DLA/ELA now. (utkarsh)
--
glib2.0 (santiago)
NOTE: 20230612: Added by Front-Desk (apo)
NOTE: 20230710: WIP (santiago)
NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test
NOTE: 20230807: idem.
NOTE: 20230820: asked for review/test.
--
gst-plugins-ugly1.0 (Adrian Bunk)
NOTE: 20230812: Added by Front-Desk (Beuc)
NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/39
--
i2p
NOTE: 20230809: Added by Front-Desk (Beuc)
NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28
--
imagemagick (rouca)
NOTE: 20230622: Added by Front-Desk (Beuc)
NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk)
--
libreswan (Markus Koschany)
NOTE: 20230817: Added by Front-Desk (ta)
--
linux (Ben Hutchings)
NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
--
nova
NOTE: 20230302: Re-add, request by maintainer (Beuc)
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
NOTE: 20230302: "The upstream patch introduces a whitelist of allowed subtype (with monoliticFlat disabled by default).
NOTE: 20230302: Though in the Buster codebase, there was no infrastructure to check for this subtype ..." (zigo)
NOTE: 20230302: Later suites (e.g. bullseye) ship a direct upstream patch and are not affected.
NOTE: 20230302: We can either rework the patch, or disable .vmdk support entirely.
NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby)
--
nvidia-cuda-toolkit
NOTE: 20230514: Added by Front-Desk (utkarsh)
NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
NOTE: 20230514: piled up. (utkarsh)
NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
--
opendkim
NOTE: 20230821: Added by Front-Desk (ta)
--
opendmarc (Chris Lamb)
NOTE: 20230811: Added by Front-Desk (Beuc)
NOTE: 20230810: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/34
--
openjdk-11
NOTE: 20230419: Added by Front-Desk (ola)
NOTE: 20230522: waiting for sid update (pochu)
NOTE: 20230612: sid updated, preparing backport (pochu)
NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu)
NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking
NOTE: 20230802: whether to change jtreg version (pochu)
--
orthanc (gladk)
NOTE: 20230812: Added by Front-Desk (Beuc)
NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41
NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk)
--
otrs2 (guilhem)
NOTE: 20230811: Added by Front-Desk (Beuc)
NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/32
NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free not supported),
NOTE: 20230811: but this is a sponsored package, so they need to be fixed. (Beuc/front-desk)
--
php7.3 (guilhem)
NOTE: 20230820: Added by Front-Desk (ta)
--
python-glance-store
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
NOTE: 20230705: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store (jspricke)
NOTE: 20230705: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. (jspricke)
--
python-mechanicalsoup
NOTE: 20230819: Added by Front-Desk (ta)
--
python-os-brick
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python2.7
NOTE: 20230826: Added by Front-Desk (utkarsh)
NOTE: 20230826: some traces of vulnerable code found. My hunch is that it's not-affected but it needs
NOTE: 20230826: a deeper triage. Also CVE-2023-24329 is vulnerable and was partially fixed in some suites
NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now available and can be fixed now. (utkarsh)
NOTE: 20230826: contact Utkarsh in case you're unable to find the supplementary patch. (utkarsh)
--
qpdf (Thorsten Alteholz)
NOTE: 20230820: Added by Front-Desk (ta)
--
qt4-x11
NOTE: 20230822: Re-added for one remaining open CVE (roberto)
NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto)
--
rails (utkarsh)
NOTE: 20220909: Re-added due to regression (abhijith)
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
NOTE: 20221024: to break thrice in less than 2 month.
NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
--
ring (Thorsten Alteholz)
NOTE: 20221120: Added by Front-Desk (ta)
NOTE: 20230827: testing package, almost done
--
ruby-loofah
NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)
NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby)
NOTE: 20230403: Everything ready in git, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert/inactive)
NOTE: 20230808: utkarsh mentions on IRC he's busy with other packages, this is "free to claim atm". (Beuc/front-desk)
--
ruby-rails-html-sanitizer
NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh)
NOTE: 20230808: utkarsh mentions on IRC he's busy with other packages, this is "free to claim atm". (Beuc/front-desk)
--
ruby-rmagick (rouca)
NOTE: 20230808: Added by Front-Desk on rouca's (imagemagick package maintainer) request (Beuc)
--
salt
NOTE: 20220814: Added by Front-Desk (gladk)
NOTE: 20220814: I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer version. (Anton)
NOTE: 20230720: Backport to at least 3002.9 in order to fix protocol flaws between client/server
NOTE: 20230720: Users will need need both update client and server synchronously (flag day).
NOTE: 20230720: Unfortunatly upgrading will need to update some configuration file
NOTE: 20230720: https://docs.saltproject.io/en/master/topics/releases/2019.2.0.html#non-backward-compatible-change-to-yaml-renderer
NOTE: 20230720: They are also some minor change here:
NOTE: 20230720: https://docs.saltproject.io/en/master/topics/releases/3002.html#execution-module-changes
NOTE: 20230720: Last but not least salt is not present in stable/testing (rouca)
--
samba
NOTE: 20220904: Added by Front-Desk (apo)
NOTE: 20220904: Many postponed or open CVE in general. (apo)
NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee)
NOTE: 20230807: WIP package is available at git@salsa.debian.org:lts-team/packages/samba.git
NOTE: 20230807: in the branch "lgarrett/2023-02-23-debian/buster-proposed"
NOTE: 20230807: functional test framework is however needed (WIP) as most
NOTE: 20230807: CVEs/bugfixes don't have test coverage.
NOTE: 20230822: https://lists.debian.org/debian-lts/2023/08/msg00027.html (lee)
--
suricata (Adrian Bunk)
NOTE: 20230620: Added by Front-Desk (Beuc)
NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie,
NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored),
NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk)
NOTE: 20230714: Still reviewing+testing CVEs. (bunk)
NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
--
tiff
NOTE: 20230826: Added by Front-Desk (utkarsh)
--
trafficserver
NOTE: 20230826: Added by Front-Desk (utkarsh)
NOTE: 20230826: have pinged Leo in Ubuntu to clarify the status on the
NOTE: 20230826: Ubuntu side and track the fixing commits. I'll update when
NOTE: 20230826: I have the answer here. (utkarsh)
--
tryton-server
NOTE: 20230826: Added by Front-Desk (utkarsh)
NOTE: 20230826: sync with the DSA released. (utkarsh)
--
|
