1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
ansible (Markus Koschany)
NOTE: 20210411: As discussed with the maintainer I will update Buster first and
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
ceph
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
NOTE: 20210118: wip (Emilio)
--
cgal (Anton Gladky)
NOTE: 20210404: https://salsa.debian.org/lts-team/packages/cgal WIP (gladk)
--
composer (Utkarsh)
--
condor
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola)
--
curl
NOTE: 20210405: the patch applies but is missing a lot of elements;
NOTE: 20210405: namely CURLU, CURLUPART_{URL,FRAGMENT,USER,PASSWORD}. (utkarsh)
NOTE: 20210405: see https://lists.debian.org/debian-lts/2021/04/msg00002.html. (utkarsh)
--
firmware-nonfree
NOTE: 20201207: wait for the update in buster and backport that (Emilio)
--
golang-github-appc-cni (Thorsten Alteholz)
NOTE: 20210221: also taking care of reverse dependencies
NOTE: 20210221: also taking care of other suites
NOTE: 20210418: still WIP, trying to automize golang updates
--
golang-gogoprotobuf
NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby)
NOTE: 20210308: The only explanation I have is that Skippy is a peanut butter brand and the fix is related to a variable called skippy (Ola)
NOTE: 20210308: Patch prepared and available http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch
NOTE: 20210308: If anyone have a good way to regression test the package this information is appreciated.
NOTE: 20210308: If anyone have information on what the result of the missing range check is, that information is also appreciated.
NOTE: 20210318: The generated code is in many other go packages.
NOTE: 20210329: See discussion at https://lists.debian.org/debian-lts/2021/03/msg00011.html
--
gpac (Thorsten Alteholz)
--
gsoap (Abhijith PA)
NOTE: 20210420: upstream only responded with suggestion to upgrade (abhijith)
--
imagemagick (Anton Gladky)
NOTE: 20210415: Tracker records as vulnerable to CVE-2021-20312, but parts of
NOTE: 20210415: patch already partly covered; needs investigation. (lamby)
--
jetty9 (Sylvain Beucler)
--
libimage-exiftool-perl (Utkarsh)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mediawiki (Abhijith PA)
NOTE: 20210412: Check ./extensions/SyntaxHighlight_GeSHi/pygments/pygmentize (lamby)
--
nvidia-graphics-drivers
NOTE: package is in non-free but also in packages-to-support
NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
--
ring (Thorsten Alteholz)
--
ruby-actionpack-page-caching
NOTE: 20200819: Upstream's patch on does not apply due to subsequent
NOTE: 20200819: refactoring. However, a quick look at the private
NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
NOTE: 20200819: uses the path without normalising any "../" etc., simply
NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
--
ruby-doorkeeper
NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh)
NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh)
NOTE: 20200831: more investigation needed. (utkarsh)
NOTE: 20201009: on another note, it needs more investigation if this version is affected in
NOTE: 20201009: the first place or not. (utkarsh)
NOTE: 20201215: includes plaintext secret is not part of source code for stretch but there may be other ways to trigger this (ola)
--
ruby-kaminari
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
NOTE: 20200819: file has been refactored a few times). (lamby)
NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
--
ruby-kramdown
NOTE: 20210412: Probably needs two commits (see the one linked in the comment of d6a1cbcb2c. (lamby)
--
ruby-nokogiri
NOTE: 20210403: CVE-2020-26247: Java-level API not included in stretch but CVE also affects C/Ruby-level APIs;
NOTE: 20210403: check if default change (trust -> don't trust external schemas) possibly breaks compatibility (Beuc)
--
salt (Utkarsh)
NOTE: 20210329: WIP (utkarsh)
--
shiro (Roberto C. Sánchez)
NOTE: 20200920: WIP
NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto)
--
spotweb
NOTE: 20201220: The affected code uses string concatenation to construct a SQL query.
NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto)
NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc)
--
subversion (Anton Gladky)
NOTE: 20210322: have a look at #985556 and #948834
NOTE: 20210425: almost ready
--
xmlbeans (Roberto C. Sánchez)
NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
NOTE: 20210222: upstream release with the fix). Trying to determine how to
NOTE: 20210222: implement the changes without introducing too much new code. (roberto)
NOTE: 20210309: Have developed a minimal backport that accomplishes necessary security
NOTE: 20210309: fix with minimal new code. (roberto)
--
|