1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
asterisk
NOTE: 20220810: Programming language: C.
NOTE: 20220829: Ongoing triaging work. Maybe we should think about syncing
NOTE: 20220829: bullseye and buster. (apo)
--
bind9:
NOTE: 20220925: Programming language: C.
--
bluez
NOTE: 20220902: Programming language: C.
NOTE: 20220902: Consider synchronizing with Stretch. (apo)
--
curl
NOTE: 20220901: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
NOTE: 20220904: Special attention: high popcon!.
--
dovecot (Anton)
NOTE: 20220913: Programming language: C.
NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git
NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 other postponed CVEs (Beuc/front-desk)
--
exiv2
NOTE: 20220819: Programming language: C++.
NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb)
--
firefox-esr (Emilio)
--
firmware-nonfree
NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it.
--
frr (Thorsten Alteholz)
NOTE: 20220923: Programming language: C.
--
gerbv
NOTE: 20220923: Programming language: C.
--
gdal (Utkarsh)
NOTE: 20220913: Programming language: C/C++, Python.
NOTE: 20220913: Upcoming DSA (Beuc/front-desk)
NOTE: 20220913: 2 CVEs already fixed in stretch&jessie (Beuc/front-desk)
--
glibc
NOTE: 20220913: Programming language: C, Assembly.
NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk)
--
golang-1.11
NOTE: 20220916: Programming language: Go.
NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't)
NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921
--
golang-go.crypto
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
NOTE: 20220915: Special attention: limited support, cf. buster release notes
NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1
NOTE: 20220915: Special attention: also check bullseye status
--
golang-websocket
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk)
NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies
--
imagemagick
NOTE: 20220904: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git
NOTE: 20220904: Should be synced with Stretch. (apo)
--
kopanocore
NOTE: 20220801: Programming language: C++.
NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
--
linux (Ben Hutchings)
--
mbedtls (Utkarsh)
NOTE: 20220821: Programming language: C.
--
netatalk (Stefano Rivera)
NOTE: 20220816: Programming language: C.
NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor)
--
node-tar
NOTE: 20220907: Programming language: JavaScript.
--
node-thenify (Utkarsh)
NOTE: 20220912: Programming language: JavaScript.
--
nodejs (Sylvain Beucler)
NOTE: 20220801: Programming language: JavaScript, C/C++, Python.
NOTE: 20220801: one of the upstream fixes doesn't address the security issue (jmm)
NOTE: 20220912: backporting patches and determining testing procedures (Beuc)
--
openexr
NOTE: 20220904: Programming language: C++.
NOTE: 20220904: Should be synced with Stretch. (apo)
--
openvswitch
NOTE: 20220911: No known patch for this problem.
--
php-phpseclib
NOTE: 20220909: Programming language: PHP.
NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix..
--
phpseclib
NOTE: 20220909: Programming language: PHP.
NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix..
--
pluxml
NOTE: 20220913: Programming language: PHP.
NOTE: 20220913: Special attention: orphaned package.
--
python-django
NOTE: 20220911: Programming language: Python
NOTE: 20220911: There are many minors issues that should be done in a point release. No further point releases for buster.
NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster.
--
rails (Abhijith PA)
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith)
NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith)
NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith)
--
rainloop
NOTE: 20220913: Programming language: PHP, JavaScript.
NOTE: 20220913: Special attention: orphaned as of 2022-09.
NOTE: 20220913: Upstream appeared dead but there was activity 2 weeks ago,
NOTE: 20220913: a "SnappyMail" fork exists and may have patches we can use,
NOTE: 20220913: also there's an unofficial one for CVE-2022-29360;
NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk)
--
ruby-nokogiri
NOTE: 20220911: Programming language: ruby
NOTE: 20220911: CVE-2022-24836 was fixed in stretch so it should be fixed in buster too.
--
ruby-sinatra
NOTE: 20220911: Programming language: ruby
--
runc
NOTE: 20220905: Programming language: Go.
NOTE: 20220905: Special attention: Sync with Bullseye.
--
salt
NOTE: 20220814: Programming language: Python.
NOTE: 20220814: Packages is not in the supported packages by us.
NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer verion. (Anton)
--
samba
NOTE: 20220904: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git
NOTE: 20220904: Special attention: High popcon! Used in many servers.
NOTE: 20220904: Many postponed or open CVE in general. (apo)
--
snort
NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored.
--
sox (Abhijith PA)
NOTE: 20220818: Programming language: C.
NOTE: 20220818: Requires some investigation; see #1012138 etc.
--
squid
NOTE: 20220923: Programming language: C.
NOTE: 20220923: CVE-2022-41317 should be not-affected, but CVE-2022-41318 should be an issue, pleae recheck
--
thunderbird (Emilio)
--
trafficserver
NOTE: 20220905: Programming language: C.
--
vim
NOTE: 20220904: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git
--
webkit2gtk (Emilio)
NOTE: 20220921: coordinating update to 2.38 with berto (pochu)
--
wireshark
NOTE: 20220916: Programming language: C.
--
wkhtmltopdf
NOTE: 20220904: Programming language: C++.
--
wordpress
NOTE: 20220911: Programming language: PHP
NOTE: 20220911: Further investigation needed to see what parts of 6.0.2 update that applies to buster.
--
zabbix
NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too.
--
|
