1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
--
ansible (Lee Garrett)
NOTE: 20210411: As discussed with the maintainer I will update Buster first and
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
apache2 (Anton)
--
apng2gif
NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie
NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk)
--
clamav (Emilio)
--
condor (Anton)
NOTE: 20211216: full details embargoed
NOTE: 20211227: the fix is out and now available; cf:
NOTE: 20211227: https://github.com/htcondor/htcondor/commit/8b311dee. (utkarsh)
--
debian-archive-keyring
NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
NOTE: 20210920: Raphael answered. will backport today. (utkarsh)
NOTE: 20211003: waiting for Jonathan to get back as his keys
NOTE: 20211003: seemed to have expired and the build is thus
NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh)
NOTE: 20211018: Jonathan is prepping the branch; will work
NOTE: 20211018: with him and upload and publish the DLA. (utkarsh)
--
firmware-nonfree (Markus Koschany)
NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
NOTE: 20211207: Intend to release this week.
--
ghostscript (Markus Koschany)
--
gpac (Roberto C. Sánchez)
NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto)
NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)
NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto)
--
libarchive (Thorsten Alteholz)
NOTE: 20220102: testing package
--
libgit2 (Utkarsh)
NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed
NOTE: 20211029: for jessie in DLA-1477-1 and should also be fixed in stretch
NOTE: 20211029: 4 other CVEs might also be worth fixing (bunk)
NOTE: 20211029: taking this with my maintainer hat on; will investigate
NOTE: 20211029: and TAL later next week. (utkarsh)
NOTE: 20211116: backports prepped; checking build and smoke-testing package. (utkarsh)
NOTE: 20211129: readied up everything, using pygit and other wrappers
NOTE: 20211129: around which the code changed. will upload in the next 2 days. (utkarsh)
NOTE: 20211227: waiting on upstream to get feedback. (utkarsh)
--
libraw (Abhijith PA)
NOTE: 20211227: 7 CVEs that were fixed for jessie in DLA-1734-1 are unfixed
NOTE: 20211227: in stretch, plenty other unfixed CVEs (bunk)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
nvidia-graphics-drivers (Markus Koschany)
NOTE: package is in non-free but also in packages-to-support
NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm
NOTE: 20211108: now fixes all 5 CVEs (bunk)
NOTE: 20211229: https://people.debian.org/~apo/lts/nvidia-graphics-drivers/
--
pgbouncer
NOTE: 20211220: maintainer might want to upload fixed version
--
php-nette (Utkarsh)
--
pjproject
NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu)
--
samba (Utkarsh Gupta)
NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
NOTE: 20211212: Fix is too large, coordination with ELTS-upload
--
slurm-llnl (Sylvain Beucler)
NOTE: 20211229: CVE-2019-12838 is marked "Too intrusive to backport" but was
NOTE: 20211229: backported to jessie in DLA-2143-1.
NOTE: 20211229: If CVE-2019-12838 gets fixed, then the 4 other "no DSA" CVEs
NOTE: 20211229: should also be checked. (bunk)
--
sphinxsearch (Thorsten Alteholz)
NOTE: 20220103: waiting for Buster upload
--
thunderbird (Emilio)
NOTE: 20211122: blocked on toolchain backports (pochu)
NOTE: 20211206: progressing on the toolchain front (pochu)
NOTE: 20211220: backport in progress, making it build with python3.5 (pochu)
NOTE: 20210103: DSA released, DLA will follow today (pochu)
--
vim (Anton)
NOTE: 20211203: adding here as it's in the ela-needed as well
NOTE: 20211203: so worth fixing in stretch, too. Co-ordinate w/
NOTE: 20211203: Emilio since he's working on it for jessie. (utkarsh)
NOTE: 20211220: WIP (Anton)
NOTE: 20220103: Upload is planed this week (Anton)
--
|
