1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
|
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
ansible
NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
NOTE: 20200506: (lamby)
NOTE: 20200508: bam: Problem exists with new files only. Existing files
NOTE: 20200508: bam: code resets permissions to same value, should be fine.
NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
--
ark
NOTE: 20200731: given PoC not working as intended. (abhijith)
NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith)
NOTE: 20200820: pinged upstream for help (abhijith)
NOTE: 20200907: patch https://people.debian.org/~abhijith/upload/backport_to_1608.patch crashes (abhijith)
NOTE: 20200921: CLI works but GUI not, It seems the fix is not compatible with the old architecture (abhijith)
--
brotli (Roberto C. Sánchez)
NOTE: 20201025: Requested patch review on debian-lts@l.d.o (roberto)
--
cacti
NOTE: 20200529: A patch need to be cooked up. Upstream patch not fit for jessie version (abhijith)
NOTE: 20200620: WIP (abhijith)
NOTE: 20200629: Working on the patch (abhijith)
NOTE: 20200701: Patch for CVE-2020-7237 should also be included for Stretch LTS. (utkarsh)
NOTE: 20200726: partial fix https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch (abhijith)
--
ceph
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
--
cimg (Thorsten Alteholz)
NOTE: 20200709: Upstream patch is against a newer "load_network_external"
NOTE: 20200709: method (vs "load_network") but is still missing the argument
NOTE: 20200709: sanitisation. (lamby)
NOTE: 20201005: checking whether reverse dependencies still build/work
NOTE: 20201018: recovering from a broken computer :-(
--
condor
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
--
dompurify.js (Thorsten Alteholz)
NOTE: 20201013: Package only in stretch - needs investigation to identify patch. (lamby)
--
f2fs-tools
NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to
NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver)
--
fossil
NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially applies, but does not apply around a
NOTE: 20200903: database query in src/add.c. In fact, the patch fixing this CVE is quite invasive. Maybe decide
NOTE: 20200903: not to fix it?
--
freerdp
--
golang-1.7
--
golang-1.8
--
golang-github-dgrijalva-jwt-go
--
golang-golang-x-net-dev
--
guacamole-server (Markus Koschany)
NOTE: 20201026: Reported my findings to the maintainers and the
NOTE: security team. Waiting for feedback. CVE is in guacamole-server not in
NOTE: guacamole-client. Backporting the upstream patch seems viable.
NOTE: release will be this week
--
junit4 (Abhijith PA)
--
jupyter-notebook
NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby)
--
lemonldap-ng
NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby)
--
libonig (Markus Koschany)
NOTE: 20201026: Fix for CVE-2020-26159 is too trivial. Besides that, please consider
NOTE: 20201026: fixing other errors mentioned in https://github.com/kkos/oniguruma/issues/207
NOTE: 20201026: and the other 6/7 CVEs tagged as no-dsa in stretch but fixed in jessie. (utkarsh)
NOTE: 20201026: release will be this week
--
libproxy (Emilio)
NOTE: 20201026: patch not sanctioned upstream yet (Emilio)
--
libdatetime-timezone-perl (Adrian Bunk)
---
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
mumble
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith)
--
open-build-service
NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them.
NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh)
--
opendmarc
NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
--
php-horde-trean
NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver)
NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver)
--
pluxml
NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith)
--
poppler (Markus Koschany)
--
python3.5 (Thorsten Alteholz)
NOTE: 20201011: testing package
NOTE: 20201018: recovering from a broken computer :-(
--
qtsvg-opensource-src (Adrian Bunk)
NOTE: 20201019: Tracking down build error (problem in my setup?).
--
reel
NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh)
--
ruby-actionpack-page-caching
NOTE: 20200819: Upstream's patch on does not apply due to subsequent
NOTE: 20200819: refactoring. However, a quick look at the private
NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
NOTE: 20200819: uses the path without normalising any "../" etc., simply
NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
--
ruby-doorkeeper
NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh)
NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh)
NOTE: 20200831: more investigation needed. (utkarsh)
NOTE: 20201009: on another note, it needs more investigation if this version is affected in
NOTE: 20201009: the first place or not. (utkarsh)
--
ruby-kaminari
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
NOTE: 20200819: file has been refactored a few times). (lamby)
NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
--
ruby-oauth
--
samba
NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh)
NOTE: 20200801: Stretch update already released, so no conflict. (roberto)
NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, and CVE-2020-10740, are ready. (roberto)
NOTE: 20200801: Best to wait for additional CVEs before uploading; check with Roberto for patches. (roberto)
NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola).
NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver)
--
shiro
NOTE: 20200920: WIP
NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
--
slirp
NOTE: Upstream patch for CVE-2020-8608 requires patches for
NOTE: CVE-2020-7039 to be applied patched first, as they both patch
NOTE: the same lines of code in tcp_subr.c (bam).
--
spice (Utkarsh)
NOTE: 20201027: already uploaded to jessie, was waiting to hear back if there's regression.
NOTE: 20201027: will upload soon to stretch as well. (utkarsh)
--
spice-gtk (Utkarsh)
NOTE: 20201027: already uploaded to jessie, was waiting to hear back if there's regression.
NOTE: 20201027: will upload soon to stretch as well. (utkarsh)
--
sympa
NOTE: 20201007: I issued DLA-2401-1 to address overdue critical vulnerability.
NOTE: 20201007: Lesser issues should pop up soon following work with upstream:
NOTE: 20201007: https://github.com/sympa-community/sympa/issues/943
NOTE: 20201007: I also prepared and tested a CVE-2018-1000671 backport:
NOTE: 20201007: https://www.beuc.net/tmp/debian-lts/sympa/
NOTE: 20201007: I won't have time to do more this month (Beuc)
NOTE: 20201015: See #972189. (lamby)
--
tzdata (Adrian Bunk)
--
wireshark (Adrian Bunk)
NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include
NOTE: 20201007: those fixes as well! \o/ (utkarsh)
NOTE: 20201026: will backport 2.6.8-1.1 first, and then try to update in the
NOTE: 20201026: next buster point release followed by another backport (bunk)
--
xcftools
NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
NOTE: 20200517: work is ongoing. (gladk)
NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
--
zabbix
NOTE: 20201014: Will require some in-depth investigation work. Upstream ticket remains locked since May, diffoscope of 5.0.1 to 5.0.2 is 44MB and contains approx 50 changes. (lamby)
--
zeromq3 (Adrian Bunk)
NOTE: 20201026: still testing fixed package (bunk)
--
|
