summaryrefslogtreecommitdiffstats
path: root/data/dla-needed.txt
blob: bd24242f03cc874ebce279e4a81be16948effd27 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.

--
389-ds-base
  NOTE: 20220516: Source code is vulnerable to CVE-2022-0996. The package do not have a large install base so the
  NOTE: 20220516: priority of fixing is probably low.
--
amd64-microcode
--
asterisk (Abhijith PA)
  NOTE: 20220424: programming language C
--
atftp (Thorste Alteholz)
  NOTE: 20220523: Harmonize with Debian 10.12 (1 CVE) (Beuc/front-desk)
--
avahi
  NOTE: 20220523: Harmonize with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk)
--
cgal
  NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton)
--
ckeditor (Sylvain Beucler)
  NOTE: 20220402: multiple pendings vulnerabilities (Beuc/front-desk)
  NOTE: 20220510: no rdeps, no sponsors, most CVEs require following upstream stable 4.x,
  NOTE: 20220510: considering either ignoring, or mass-bumping all dists,
  NOTE: 20220510: waiting for ckeditor_3_ discussion to close up first (Beuc)
  NOTE: 20220510: https://lists.debian.org/debian-lts/2022/05/msg00018.html
--
clamav (Emilio)
  NOTE: 20220510: Programming language C. (apo)
--
cups (Thorsten Alteholz)
--
curl (Emilio)
  NOTE: 20220510: Programming language C.
--
cyrus-imapd
  NOTE: 20220523: Harmonize with DSA-4590-1 and Debian 10.11 (2 CVEs) (Beuc/front-desk)
--
debian-security-support (Utkarsh)
  NOTE: 20220402: need to update the list of unsupported packages (Beuc/front-desk)
  NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc/front-desk)
  NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg00000.html (Beuc/front-desk)
  NOTE: 20220502: backport prepped, will contact Holger for more details. (utkarsh)
  NOTE: 20220516: in review, will also co-help Holger to maintain this. (utkarsh)
--
dpdk
  NOTE: 20220523: Harmonize with Debian 10.7 (5 CVEs) (Beuc/front-desk)
--
exempi
  NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis
  NOTE: 20220517: is needed.
--
firmware-nonfree
  NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
  NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
  NOTE: 20211207: Intend to release this week.
--
freerdp
  NOTE: 20220525: ~40 minor CVEs, consider coordinating with maintainer and/or secteam to do the same in freerdp2/buster (Beuc/front-desk)
--
gerbv
  NOTE: 20220321: WIP https://salsa.debian.org/lts-team/packages/gerbv (Anton)
  NOTE: 20220326: CVE-2021-40401 is fixed https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch (Anton)
  NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton)
--
glib2.0
  NOTE: 20220523: Harmonize with Debian 10.10 (3 CVEs) (Beuc/front-desk)
--
golang-go.crypto (Dominik George)
  NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc/front-desk)
--
haproxy
  NOTE: 20220523: Harmonize with Debian 10.0 and 10.6 (3 CVEs) (Beuc/front-desk)
--
horizon
  NOTE: 20220523: Harmonize with DSA-4820-1 (1 CVE) (Beuc/front-desk)
  NOTE: 20220523: part of OpenStack (Beuc/front-desk)
--
icingaweb2 (Abhijith PA)
  NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith)
  NOTE: 20220522: Pinged upstream for missing patches. Will write an detail
  NOTE: 20220522: email about situation (abhijith)
--
intel-microcode
  NOTE: 20220213: please recheck
--
isync
  NOTE: 20220523: Harmonize with Debian 10.10 and possibly 11.2 (3 CVEs) (Beuc/front-desk)
--
kvmtool
  NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk)
  NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk)
--
lemonldap-ng
  NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk)
--
libdbi-perl
  NOTE: 20220523: Harmonize with Debian 10.8 (CVE-2014-10402 is a follow-up to CVE-2014-10401
  NOTE: 20220523: which was fixed before stretch, buster's debian/changelog is incorrect) (Beuc/front-desk)
--
libjpeg-turbo
  NOTE: 20220523: Harmonize with Debian 10.7 (only 1 CVE but last
  NOTE: 20220523: stretch update back in 2020 and possible RCE) (Beuc/front-desk)
--
liblouis
  NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN
  NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too.
  NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo,
  NOTE: 20220503: Patch not applied upstream yet.
--
libvirt (Thorsten Alteholz)
  NOTE: 20220522: testing package
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mailman
  NOTE: 20220523: Harmonize with Debian 10.12 (3 CVEs, regression fixes) (Beuc/front-desk)
--
manila
  NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) (Beuc/front-desk)
  NOTE: 20220523: part of OpenStack (Beuc/front-desk)
--
mariadb-10.1
  NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton)
--
mbedtls (Utkarsh)
  NOTE: 20220404: update prepared, needs testing. (utkarsh)
  NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh)
  NOTE: 20220502: will upload with 1 fix and mark the other one
  NOTE: 20220502: as no-dsa today/tomorrow. (utkarsh)
  NOTE: 20220516: helf off upload to see if the other one should
  NOTE: 20220516: be squeezed in. waiting on -pu. (utkarsh)
--
modsecurity-apache (Chris Lamb)
  NOTE: 20220524: Harmonize with DSA-5023-1 (1 CVE) (Beuc/front-desk)
--
modsecurity-crs
  NOTE: 20220524: Harmonize with Debian 10.2 and 10.11 (2 CVEs) (Beuc/front-desk)
--
mysql-connector-java (Markus Koschany)
  NOTE: 20220512: Requires a new upstream version. (apo)
--
ncurses
  NOTE: 20220524: Harmonize with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk)
--
ntfs-3g
  NOTE: 20220515: Please recheck. There are currently not enough information
  NOTE: available. (apo)
--
nvidia-cuda-toolkit
   NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc/front-desk)
--
nvidia-graphics-drivers
  NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc/front-desk)
  NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential
  NOTE: 20220209: backport (apo)
--
openscad
  NOTE: 20220524: Harmonize with Debian 10.12 (1 CVE) (Beuc/front-desk)
  NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk)
--
pam-u2f
  NOTE: 20220524: Harmonize with Debian 10.1 (2 CVEs + some non-CVE'd fixes) (Beuc/front-desk)
--
pdns
  NOTE: 20220402: harmonize with buster/10.8 (Beuc/front-desk)
  NOTE: 20220506: buster patches backported in https://salsa.debian.org/enrico/pdns/-/tree/stretch
  NOTE: 20220506: and #debian-dns notified (enrico)
  NOTE: 20220506: the patch for https://security-tracker.debian.org/tracker/CVE-2022-27227
  NOTE: 20220506: would need to be completely rewritten for the stretch codebase (enrico)
  NOTE: 20220506: package builds but does not run a test suite, and I lack the
  NOTE: 20220506: know-how for testing manually (enrico)
--
pjproject
--
plinth
  NOTE: 20220524: Harmonize with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk)
--
pngcheck
  NOTE: 20220524: Harmonize with Debian 10.8 (1 CVE) (Beuc/front-desk)
--
postgresql-9.6
  NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk)
  NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk)
  NOTE: 20220523: Christoph Berg won't handle this update (Beuc/front-desk)
  NOTE: 20220523: https://lists.debian.org/debian-lts/2022/05/msg00054.html
--
puppet-module-puppetlabs-firewall
  NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk)
--
redis (Chris Lamb)
  NOTE: 20220510: Chris Lamb is the maintainer. Programming language C. (apo)
--
request-tracker4
  NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk)
--
ring
  NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
  NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith)
  NOTE: 20220404: a network error (abhijith)
  NOTE: 20220506: Pinged maintainer team and maintainer (abhijith)
  NOTE: 20220526: Re pinged Debian maintainer and Pinged upstream for help. (abhijith)
--
ros-ros-comm
  NOTE: 20220524: Harmonize with Debian 10.7 and 10.12 (2 CVEs) (Beuc/front-desk)
--
ruby-devise-two-factor
  NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result
  NOTE: 20220427: of an incomplete fix to CVE-2015-7225. Will require some investigation. (lamby)
  NOTE: 20220502: should be marked as no-dsa; will send more details on the list. (utkarsh)
--
salt
--
samba
  NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
  NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton)
  NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
  NOTE: 20220125: ftbfs, wip. (utkarsh)
--
sleuthkit
  NOTE: 20220524: Harmonize with Debian 10.0 and 10.7 (2 CVEs) (Beuc/front-desk)
--
slurm-llnl
  NOTE: 20220516: Checking the code it looks like the patches will apply so the code is clearly vulnerable.
--
snapd
  NOTE: 20220308: seems vulnerable at least to setup_private_mount,
  NOTE: 20220308: but double check (pochu)
--
sox
  NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton)
  NOTE: 20220326: https://salsa.debian.org/lts-team/packages/sox
  NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton)
--
spip
--
subversion (Roberto C. Sánchez)
  NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment)
  NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby)
  NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to test it, mailed results to Roberto C. Sánchez (enrico)
  NOTE: 20220525: Based on the results of Enrico's analysis and some further work, I was able to have the test execute reliably (roberto)
  NOTE: 20220525: The test passes, which seems to indicate that the vulnerability does not affect 1.9.5 (roberto)
  NOTE: 20220525: I have asked Enrico to replicate my findings (roberto)
--
systemd
  NOTE: 20220524: CVE-2020-1712 marked for update but didn't make it to 9.13
  NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but at the
  NOTE: 20220524: same time is severe and was fixed in other old distros (Beuc/front-desk)
--
tiff (Utkarsh)
  NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff.
  NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh)
  NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh)
  NOTE: 20220502: will collate the new CVEs and update the package. (utkarsh)
  NOTE: 20220513: more CVEs, ugh. Probably will consider rolling out the ones
  NOTE: 20220513: that are already applied and tested and re-add tiff here. (utkarsh)
--
ublock-origin
  NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk)
--
unzip
  NOTE: 20220319: no patches yet but reproducible (apo)
  NOTE: 20220429: CVE-2022-0530: reported #1010355 with a proposed patch (enrico)
  NOTE: 20220429: CVE-2022-0529: sent a proposed patch to sanvila and team@s.d.o (enrico)
--
vlc
  NOTE: 20220524: Consider bumping to 3.12 (or later) as in DSA-4834-1 (Beuc/front-desk)
--
zipios++
  NOTE: 20220524: Harmonize with Debian 10.5 (1 CVE) (Beuc/front-desk)
--

© 2014-2024 Faster IT GmbH | imprint | privacy policy