An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- ansible (Markus Koschany) NOTE: 20210322: As discussed with the maintainer I will update Buster first and NOTE: 20210322: after that LTS. Will ask for a maintainer review later this week. -- ceph NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby) NOTE: 20200707: Some discussion regarding removal (lamby) NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola) NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/ NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it). NOTE: 20210118: wip (Emilio) -- cgal (Anton Gladky) -- condor NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto) NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby) NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh) NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto) NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola) -- courier-authlib NOTE: 20210319: Likely needs collaboration with maintainers. (lamby) NOTE: 20210329: conversation started already; in midst of staging this NOTE: 20210329: and getting prepared. The nature of conversation is NOTE: 20210329: internal and Utkarsh is working on it already. (utkarsh) -- edk2 -- firmware-nonfree NOTE: 20201207: wait for the update in buster and backport that (Emilio) -- golang-github-appc-cni (Thorsten Alteholz) NOTE: 20210221: also taking care of reverse dependencies NOTE: 20210221: also taking care of other suites NOTE: 20210321: still WIP -- golang-gogoprotobuf NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby) NOTE: 20210308: The only explanation I have is that Skippy is a peanut butter brand and the fix is related to a variable called skippy (Ola) NOTE: 20210308: Patch prepared and available http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch NOTE: 20210308: If anyone have a good way to regression test the package this information is appreciated. NOTE: 20210308: If anyone have information on what the result of the missing range check is, that information is also appreciated. NOTE: 20210318: The generated code is in many other go packages. NOTE: 20210329: See discussion at https://lists.debian.org/debian-lts/2021/03/msg00011.html -- gsoap -- libebml (Thorsten Alteholz) NOTE: 20210307: testing package NOTE: 20210321: preparing buster debdiff as well -- libxstream-java -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- netty (Markus Koschany) -- opendmarc NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten) NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto) NOTE: 20210104: wait for other CVEs (abhijith) -- php-pear (Sylvain Beucler) -- pillow (Abhijith PA) NOTE: 20200322: Working on no-DSA tagged CVEs (abhijith) -- python2.7 (Anton Gladky) NOTE: 20210316: Same issue as python3.5 immediately below; suggest handled by same maintainer. (lamby) NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python2.7 (gladk) -- python3.5 (Anton Gladky) NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard library. (lamby) NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python3.5 (gladk) -- qemu -- ruby-actionpack-page-caching NOTE: 20200819: Upstream's patch on does not apply due to subsequent NOTE: 20200819: refactoring. However, a quick look at the private NOTE: 20200819: page_cache_file method suggests that the issue exists, as it NOTE: 20200819: uses the path without normalising any "../" etc., simply NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby) -- ruby-activerecord-session-store -- ruby-carrierwave NOTE: 20210320: Will be difficult to backport as code in LTS version appears NOTE: 20210320: to use primitive Kernel.open to load URIs. (lamby) -- ruby-doorkeeper NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh) NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh) NOTE: 20200831: more investigation needed. (utkarsh) NOTE: 20201009: on another note, it needs more investigation if this version is affected in NOTE: 20201009: the first place or not. (utkarsh) NOTE: 20201215: includes plaintext secret is not part of source code for stretch but there may be other ways to trigger this (ola) -- ruby-kaminari NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the NOTE: 20200819: file has been refactored a few times). (lamby) NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh) NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh) NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- ruby-nokogiri NOTE: 20210403: CVE-2020-26247: Java-level API not included in stretch but CVE also affects C/Ruby-level APIs; NOTE: 20210403: check if default change (trust -> don't trust external schemas) possibly breaks compatibility (Beuc) -- salt (Utkarsh) NOTE: 20210329: WIP (utkarsh) -- shiro (Roberto C. Sánchez) NOTE: 20200920: WIP NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto) NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto) NOTE: 20201220: Upstream has responded. Working with them to backport fixes. (roberto) -- smarty3 (Abhijith PA) NOTE: 20200322: CVE-2018-13982 need more time to backport (abhijith) -- spotweb NOTE: 20201220: The affected code uses string concatenation to construct a SQL query. NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto) NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286 NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- subversion (Emilio) NOTE: 20210322: have a look at #985556 and #948834 -- xmlbeans NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the NOTE: 20210222: upstream release with the fix). Trying to determine how to NOTE: 20210222: implement the changes without introducing too much new code. (roberto) NOTE: 20210309: Have developed a minimal backport that accomplishes necessary security NOTE: 20210309: fix with minimal new code. (roberto) --