1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
A wheezy-lts security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
asterisk
--
ca-certificates
NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155c5a@pbandjelly.org
NOTE: 20171013: pinged maintainer: https://lists.debian.org/87efpuc95w.fsf@curie.anarc.at (anarcat)
--
couchdb
NOTE: Only in wheezy, we are on our own.
--
graphicsmagick (Markus Koschany)
--
icu (Roberto C. Sánchez)
--
imagemagick (Markus Koschany)
--
lame (Hugo Lefeuvre)
NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced CVE-2017-150{18,45,46}
NOTE: 20171120: Backporting 3.100 is not conceivable, diff >40k lines.
NOTE: Instead, lame's maintainer will switch jessie to also use libsndfile in the next Jessie
NOTE: point update, simply forward the changes to Wheezy (this should fix almost all open CVEs).
--
libav (Hugo Lefeuvre)
NOTE: 20171116: Diego Biurrun (from the libav team) is working on patches.
--
libreoffice (Emilio Pozuelo)
NOTE: regression update, see:
NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html
--
libvorbis (Guido Günther)
NOTE: Underlying reason for CVE-2017-14160 yet unclear, no ustream feedback on this.
NOTE: Fixes for other CVEs applied upstream.
--
linux
--
ming (Hugo Lefeuvre)
NOTE: 20171120: wip, currently working on it with upstream, might take a while
NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks
--
mupdf
NOTE: 20171224: Upstream patch does not apply to LTS cleanly. Might need hanges to apps/pdfclean.c rather than pdf-write.c (lamby)
--
swftools (Guido Günther)
NOTE: 20171118: At least CVE-2017-16797 is present. (lamby)
NOTE: 20171210: likely to be turned into a pkg with limited sec support
--
tiff
--
tiff3
--
wireshark (Thorsten Alteholz)
NOTE: 2017-08-28: Contacted maintainer since most issues affect Jessie/Stretch as well
NOTE: 2017-12-12: The maintainer asked us to handle the package ourselves. See
NOTE: See https://lists.debian.org/CAK0OdpxNTE9C82Ltt85Jn_PiyJ_odW7wJ3VTtAm1LNmQA7ks6A@mail.gmail.com
--
wordpress
NOTE: 2017-12-25: Fix requires migrating users from MD5 -> bcrypt. (lamby)
--
xen
--
|
