1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
ansible
NOTE: 20210411: As discussed with the maintainer I will update Buster first and
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
ceph (Markus Koschany)
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
NOTE: 20210118: wip (Emilio)
NOTE: 20210726: https://people.debian.org/~apo/lts/ceph/
NOTE: 20210726: Patch for CVE-2018-16846 is not complete yet.
--
condor (Markus Koschany)
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola)
NOTE: 20210726: https://people.debian.org/~apo/lts/condor/
NOTE: 20210726: Needs more testing
--
curl (Adrian Bunk)
--
ffmpeg (Anton Gladky)
NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15
NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are
NOTE: 20210607: now 10+ ~new CVEs that nominally apply to the version in LTS,
NOTE: 20210607: so some investigation and insight is required to see which
NOTE: 20210607: apply and/or what we do with the version of ffmpeg in LTS
NOTE: 20210607: going forward. There is a 3.4.x release branch, for example,
NOTE: 20210607: but unclear on the compatibility as well as whether this one
NOTE: 20210607: won't just be dropped too, etc. etc. (lamby)
NOTE: 20210719: https://salsa.debian.org/lts-team/packages/ffmpeg/-/blob/master/debian/changelog
NOTE: 20210719: CVE-2020-22036 and CVE-2020-22032 are done. Many false-positive. Investigating.
--
firmware-nonfree (Anton Gladky)
--
gpac (Thorsten Alteholz)
NOTE: 20210719: WIP
--
libsndfile (Thorsten Alteholz)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
linuxptp (Thorsten Alteholz
--
nettle (Emilio)
NOTE: 20210719: difficult backport, wip (Emilio)
--
nvidia-graphics-drivers
NOTE: package is in non-free but also in packages-to-support
NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
--
openexr
--
openjdk-8 (Emilio)
--
pillow (codehelp)
--
python-babel
NOTE: 20210617: CVE ID rejected. (abhijith)
NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith)
--
ruby-kaminari
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
NOTE: 20200819: file has been refactored a few times). (lamby)
NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
NOTE: 20210719: https://people.debian.org/~apo/lts/ruby-kaminari/CVE-2020-11082.patch
NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari.
NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly.
--
runc (Abhijith PA)
NOTE: 20210612: Not sure if applies to this version. (lamby)
NOTE: 20210721: Requires more investigation. Even Ubuntu ESM, LTS uploaded fixed upstream version.
--
salt
NOTE: 20210329: WIP (utkarsh)
NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh)
NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh)
NOTE: 20210607: new CVE patch proposed by damien; donfede to provide a debdiff. (utkarsh)
--
shiro (Roberto C. Sánchez)
NOTE: 20200920: WIP
NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto)
NOTE: 20210511: Upstream provided suggestions/guidance on testing of backported fixes; testing/tweaking is in progress. (roberto)
NOTE: 20210728: Resume work to wrap everything up in the next few days (I hope); still need to work out some snags with Guice. (roberto)
--
|