path: root/data/dla-needed.txt

An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.

The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.

To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues

--
clamav (Hugo Lefeuvre)
  NOTE: 20200127: waiting for 0.102.1 to enter stretch/buster.
  NOTE: 0.102.* introduces a fair amount of ABI changes, and the migration
  NOTE: does not seem very smooth from the perspective of users. The release
  NOTE: team would like to wait for an init script for the new clamonacc
  NOTE: binary, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946557
--
ibus
  NOTE: 20191210: Requires glib2.0 to be patched also.
  NOTE: 20191210: See https://bugs.debian.org/941018
  NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
--
intel-microcode
--
jackson-databind
  NOTE: 20200105: Can be postponed again. (apo)
--
libmatio (Adrian Bunk)
  NOTE: fairly high number of open issues. Not sure why we never had a look at them.
  NOTE: triage work needed, help security team for fixes if needed.
  NOTE: 20190428: most patches can be applied after context adaption
  NOTE: 20190428: all CVEs are from one fuzzing attempt
  NOTE: 20190428: some CVE testcases pass on the unpatched version,
  NOTE: 20190428: but since the fixes can be made applied the code
  NOTE: 20190428: is likely vulnerable
  NOTE: 20190428: some CVE testcases still fail after applying the fix,
  NOTE: 20190428: older changes seem to also be required for them
  NOTE: 20200210: work is ongoing
--
linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
netty (Sylvain Beucler)
  NOTE: 20200214: upstream's still refining the fix (beuc)
--
netty-3.9 (Sylvain Beucler)
  NOTE: 20200214: upstream's still refining the fix (beuc)
--
nodejs
--
ntp (Roberto C. Sánchez)
--
opendmarc (Thorsten Alteholz)
  NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing
--
openjdk-7 (Emilio)
  NOTE: 20200203: waiting for icedtea release
--
php5 (Thorsten Alteholz)
--
python-pysaml2 (Abhijith PA)
  NOTE: 2020203: test fails already for the one in archive (abhijith)
--
python-reportlab (Hugo Lefeuvre)
  NOTE: 20200127: upstream fix was published, but potentially unsuitable. currently investigating.
--
python2.7 (Roberto C. Sánchez)
--
python3.4 (Roberto C. Sánchez)
--
qemu (Utkarsh Gupta)
  NOTE: 20200210: WIP.
--
qtbase-opensource-src
--
radare2
  NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
  NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch.
  NOTE: Also note that there is a r2-pwnDebian challenge...
  NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo)
  NOTE: Support status is being discussed at:
  NOTE: https://lists.debian.org/debian-lts/2019/08/msg00064.html
--
ruby-rack
  NOTE: 20191219: The security update causes a regression and also, there's a
  NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102)
  NOTE: 20200216: Discussion ongoing on -lts list. (lamby)
--
salt (Mike Gabriel)
  NOTE: 20200118: about CVE-2019-17361... Compared to the upstream fix, there is a
  NOTE: 20200118: very similar code passage in salt/jessie's salt/client/api.py file.
  NOTE: 20200118: Needs to be checked, if that code is vulnerable or not.
--
slurm-llnl
  NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc
  NOTE: Regression found. (abhijith)
--
spamassassin (Mike Gabriel)
  NOTE: 20200131: Code not checked whether it is actually vulnerable since it likely is. (ola)
  NOTE: 20200131: Contacted SA maintainer: https://lists.debian.org/debian-lts/2020/01/msg00076.html (sunweaver)
--
squid3 (Markus Koschany)
  NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf.
  NOTE: 20200116: Researched other distros to see if any had backported the fixes.  No luck.
  NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed.
  NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not
  NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that
  NOTE: 20200116: addresses the vulnerabilities. (roberto)
  NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID
  NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy
  NOTE: 20200120: to add those checks without introducing SBuf. (Ola)
  NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping
  NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more
  NOTE: 20200120: details on the intention. (Ola)
--
thunderbird (Emilio)
--
tomcat8 (Abhijith PA)
 NOTE: 20200106: Almost done. Working on failing testcase.
 NOTE: 20200210: TestFormAuthenticator failing with CVE-2019-17563. backporting upstream tests (abhijith)
--
wordpress
  NOTE: 20200118: Maybe affected, needs deeper triaging, no obvious commits
  NOTE: 20200118: referenced upstream. (sunweaver)
--
xcftools (Hugo Lefeuvre)
  NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review.
  NOTE: but I might just not receive any review any time soon, so I will now attempt to
  NOTE: fix the second issue and move on with the update.
  NOTE: 20200127: ongoing
--
xen
--
xerces-c (Hugo Lefeuvre)
  NOTE: 20191231: There is no upstream patch yet. (apo)
  NOTE: 20200118: There is still no upstream patch. (lamby)
  NOTE: 20200210: working on a patch, see ML (hle)
--
yara
  NOTE: 20191212: no upstream fix yet
  NOTE: 20200119: still no upstream fix (daissi)
  NOTE: 20200208: still no fix (lamby)
  NOTE: 20200214: still no fix (lamby)
--