1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
389-ds-base
NOTE: 20220529: Programming language: Python.
NOTE: 20220516: Source code is vulnerable to CVE-2022-0996. The package do not have a large install base so the
NOTE: 20220516: priority of fixing is probably low.
--
amd64-microcode
NOTE: 20220529: Programming language: binary blob.
--
apache2 (Roberto C. Sánchez)
NOTE: 20220618: Programming language: C.
--
blender (Thorsten Alteholz)
NOTE: 20220529: Programming language: C++.
NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was approached to fix in stable/oldstable,
NOTE: 20220528: maybe coordinate with them (Beuc/front-desk)
NOTE: 20220613: testing package
--
cgal
NOTE: 20220529: Programming language: C++.
NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton)
--
ckeditor
NOTE: 20220529: Programming language: JavaScript.
NOTE: 20220402: multiple pendings vulnerabilities (Beuc/front-desk)
NOTE: 20220510: no rdeps, no sponsors, most CVEs require following upstream stable 4.x,
NOTE: 20220510: considering either ignoring, or mass-bumping all dists,
NOTE: 20220510: waiting for ckeditor_3_ discussion to close up first (Beuc)
NOTE: 20220510: https://lists.debian.org/debian-lts/2022/05/msg00018.html
NOTE: 20220601: ckeditor3 is now end-of-life
NOTE: 20220601: https://salsa.debian.org/debian/debian-security-support/-/merge_requests/14
NOTE: 20220617: contacted maintainers and secteam (Beuc)
NOTE: 20220617: https://lists.debian.org/debian-lts/2022/06/msg00023.html
--
curl (Emilio)
NOTE: 20220529: Programming language: C.
NOTE: 20220530: update prepared, but there are test regressions, investigating (pochu)
NOTE: 20220615: made some progress on the test regressions, some are due to flaky tests apparently,
NOTE: 20220615: but at least one seems to be caused by one of the fixes (pochu)
--
exempi
NOTE: 20220529: Programming language: C++.
NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis
NOTE: 20220517: is needed.
--
firejail (Sylvain Beucler)
NOTE: 20220616: Programming language: C
--
firmware-nonfree
NOTE: 20220529: Programming language: binary blob.
NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
NOTE: 20211207: Intend to release this week.
--
freerdp
NOTE: 20220529: Programming language: C.
NOTE: 20220525: ~40 minor CVEs, consider coordinating with maintainer and/or secteam to do the same in freerdp2/buster (Beuc/front-desk)
--
gerbv
NOTE: 20220529: Programming language: C.
NOTE: 20220321: WIP https://salsa.debian.org/lts-team/packages/gerbv (Anton)
NOTE: 20220326: CVE-2021-40401 is fixed https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch (Anton)
NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton)
--
golang-github-hashicorp-go-getter (Thorsten Alteholz)
NOTE: 20220529: Programming language: Go.
NOTE: 20220528: limited golang support in stretch (cf. stretch release notes)
NOTE: 20220528: no rdeps AFAICS so no need to rebuild other golang packages (Beuc/front-desk)
NOTE: 20220613: testing package
--
golang-go.crypto (Dominik George)
NOTE: 20220529: Programming language: Go.
NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc/front-desk)
NOTE: 20220625: Recreated Git history for previous LTS uplaod.
NOTE: 20220625: Upstream patch is quite large; still trying to figure out how much of it is relevant. (natureshadow)
--
grub2
NOTE: 20220616: Programming language: C.
NOTE: 20220616: Several CVEs need to be analyzed: fixed or tagged (Anton).
NOTE: 20220624: CVEs are all related to SecureBoot, for which jessie and stretch have no support (enrico)
--
grunt
NOTE: 20220529: Programming language: JavaScript.
NOTE: 20220528: upcoming stable update (cf. #1010211) + 1 new CVE (Beuc/front-desk)
--
halibut (Anton)
NOTE: 20220528: Programming language: C.
NOTE: 20220605: https://salsa.debian.org/lts-team/packages/halibut/ (Anton)
NOTE: 20220605: patch is over 2600 lines long. Consider updating to the 1.3 version (Anton)
NOTE: 20220605: Maintainer is contacted regarding this issue (Anton)
NOTE: 20220607: Maintainer is OK with the backport. But reverse dependencies should be checked whether the new version
NOTE: 20220607: is producing the same output. (Anton)
NOTE: 20220620: test package is built locally. Testing (Anton)
--
horizon
NOTE: 20220529: Programming language: Python.
NOTE: 20220523: Follow buster: harmonize with with DSA-4820-1 (1 CVE) (Beuc/front-desk)
NOTE: 20220523: part of OpenStack (Beuc/front-desk)
--
icingaweb2 (Abhijith PA)
NOTE: 20220529: Programming language: PHP.
NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.6.2-3~bpo9+1+deb9u1.dsc (abhijith)
--
intel-microcode
NOTE: 20220529: Programming language: binary blob.
NOTE: 20220213: please recheck
--
isync
NOTE: 20220528: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.10 and possibly 11.2 (3 CVEs) (Beuc/front-desk)
--
jupyter-notebook
NOTE: 20220529: Programming language: Python.
NOTE: 20220528: wrt CVE-2021-32798, caja is bundled (not external), cf. README.source (Beuc/front-desk)
--
keepass2
NOTE: 20220529: Programming language: C#
NOTE: 20220605: no patch available yet
NOTE: 20220624: tried to reproduce this on stretch, buster, and bullseye, and failed: details at #1008022 (enrico)
--
kvmtool
NOTE: 20220529: Programming language: C.
NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk)
NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk)
--
lemonldap-ng
NOTE: 20220529: Programming language: Perl.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk)
--
liblouis
NOTE: 20220529: Programming language: C.
NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN
NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too.
NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo,
NOTE: 20220503: Patch not applied upstream yet.
--
libmatio (Abhijith PA)
NOTE: 20220529: Programming language: C.
NOTE: 20220528: lots of postponed minor vulnerabilities, no past stretch security upload, supported package (Beuc/front-desk)
NOTE: 20220622: Continue with remaining work (abhijith)
--
libvirt (Thorsten Alteholz)
NOTE: 20220529: Programming language: C.
NOTE: 20220620: testing package
--
linux (Ben Hutchings)
NOTE: 20220529: Programming language: C.
--
linux-4.19 (Ben Hutchings)
NOTE: 20220529: Programming language: C.
--
manila
NOTE: 20220529: Programming language: Python.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.4 (1 CVE) (Beuc/front-desk)
NOTE: 20220523: part of OpenStack (Beuc/front-desk)
--
mariadb-10.1
NOTE: 20220529: Programming language: C.
NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton)
--
maven-shared-utils (Markus Koschany)
NOTE: 20220606: Programming language: Java.
--
mbedtls (Utkarsh)
NOTE: 20220529: Programming language: C.
NOTE: 20220404: update prepared, needs testing. (utkarsh)
NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh)
NOTE: 20220502: will upload with 1 fix and mark the other one
NOTE: 20220502: as no-dsa today/tomorrow. (utkarsh)
NOTE: 20220516: helf off upload to see if the other one should
NOTE: 20220516: be squeezed in. waiting on -pu. (utkarsh)
--
modsecurity-crs (Andreas Rönnquist)
NOTE: 20220529: Programming language: C.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 and 10.11 (2 CVEs) (Beuc/front-desk)
--
ncurses (Thorsten Alteholz)
NOTE: 20220529: Programming language: C.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk)
NOTE: 20220613: testing package
--
netatalk
NOTE: 20220616: Programming language: C.
--
nvidia-cuda-toolkit
NOTE: 20220529: Programming language: C.
NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc/front-desk)
--
nvidia-graphics-drivers
NOTE: 20220529: Programming language: binary blob.
NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc/front-desk)
NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential
NOTE: 20220209: backport (apo)
--
ompl
NOTE: 20220622: Programming language: C++.
NOTE: 20220622: CVE-2021-42218 and CVE-2021-41490 are fixed in upstream git, memory leaks, unimportant
--
openscad (Helmut Grohne)
NOTE: 20220529: Programming language: C++.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.12 (1 CVE) (Beuc/front-desk)
NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk)
--
pam-u2f (Andreas Rönnquist)
NOTE: 20220529: Programming language: C.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.1 (2 CVEs + some non-CVE'd fixes) (Beuc/front-desk)
--
pdns
NOTE: 20220529: Programming language: C++.
NOTE: 20220402: harmonize with buster/10.8 (Beuc/front-desk)
NOTE: 20220506: buster patches backported in https://salsa.debian.org/enrico/pdns/-/tree/stretch
NOTE: 20220506: and #debian-dns notified (enrico)
NOTE: 20220506: the patch for https://security-tracker.debian.org/tracker/CVE-2022-27227
NOTE: 20220506: would need to be completely rewritten for the stretch codebase (enrico)
NOTE: 20220506: package builds but does not run a test suite, and I lack the
NOTE: 20220506: know-how for testing manually (enrico)
--
php-horde-turba
NOTE: 20220603: Programming language: PHP.
--
postgresql-9.6 (Roberto C. Sánchez)
NOTE: 20220529: Programming language: C.
NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk)
NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk)
NOTE: 20220523: Christoph Berg won't handle this update (Beuc/front-desk)
NOTE: 20220523: https://lists.debian.org/debian-lts/2022/05/msg00054.html
NOTE: 20220608: Prepared backport of upstream patches and requested upstream review (roberto)
NOTE: 20220608: Upstream recommended waiting until a reported regression has been resolved (roberto)
--
puppet-module-puppetlabs-firewall
NOTE: 20220529: Programming language: Ruby.
NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk)
--
qemu (Abhijith PA)
NOTE: 20220529: Programming language: C.
NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years,
NOTE: 20220527: so maybe coordinate to start anticipating the next LTS (Beuc/front-desk)
--
ring
NOTE: 20220529: Programming language: C++.
NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith)
NOTE: 20220404: a network error (abhijith)
NOTE: 20220506: Pinged maintainer team and maintainer (abhijith)
NOTE: 20220526: Re pinged Debian maintainer and Pinged upstream for help. (abhijith)
--
ros-ros-comm
NOTE: 20220529: Programming language: Python.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.12 (2 CVEs) (Beuc/front-desk)
--
ruby-devise-two-factor
NOTE: 20220529: Programming language: Ruby.
NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result
NOTE: 20220427: of an incomplete fix to CVE-2015-7225. Will require some investigation. (lamby)
NOTE: 20220502: should be marked as no-dsa; will send more details on the list. (utkarsh)
--
rustc (Emilio)
NOTE: 20220614: backporting toolchain (rust, llvm...) for Firefox 102 ESR (pochu)
--
salt
NOTE: 20220529: Programming language: Python.
--
samba
NOTE: 20220529: Programming language: C.
NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton)
NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
NOTE: 20220125: ftbfs, wip. (utkarsh)
--
slurm-llnl
NOTE: 20220529: Programming language: C.
NOTE: 20220516: Checking the code it looks like the patches will apply so the code is clearly vulnerable.
--
snapd
NOTE: 20220529: Programming language: Go.
NOTE: 20220308: seems vulnerable at least to setup_private_mount,
NOTE: 20220308: but double check (pochu)
--
sox
NOTE: 20220529: Programming language: C.
NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton)
NOTE: 20220326: https://salsa.debian.org/lts-team/packages/sox
NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton)
--
spip
NOTE: 20220529: Programming language: PHP.
--
systemd (Stefano Rivera)
NOTE: 20220529: Programming language: C.
NOTE: 20220524: CVE-2020-1712 marked for update but didn't make it to 9.13
NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but at the
NOTE: 20220524: same time is severe and was fixed in other old distros (Beuc/front-desk)
--
tiff
NOTE: 20220529: Programming language: C.
NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff.
NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh)
NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh)
NOTE: 20220502: will collate the new CVEs and update the package. (utkarsh)
NOTE: 20220513: more CVEs, ugh. Probably will consider rolling out the ones
NOTE: 20220513: that are already applied and tested and re-add tiff here. (utkarsh)
--
ublock-origin
NOTE: 20220529: Programming language: JavaScript.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.11 (1 CVE) (Beuc/front-desk)
--
unzip
NOTE: 20220529: Programming language: C.
NOTE: 20220319: no patches yet but reproducible (apo)
NOTE: 20220429: CVE-2022-0530: reported #1010355 with a proposed patch (enrico)
NOTE: 20220429: CVE-2022-0529: sent a proposed patch to sanvila and team@s.d.o (enrico)
--
|
