Newer
Older
Antoine Beaupré
committed
An LTS security update is needed for the following source packages.
When you add a new entry, please keep the list alphabetically sorted.
The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
To pick an issue, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
ansible (Markus Koschany)
NOTE: 20200506: CVE-2020-1736: The version in jessie does not use the
NOTE: 20200506: `_DEFAULT_PERM` global variable but hardcodes 0666
NOTE: 20200506: in the atomic_move code in basic.py, so is likely vulnerable.
NOTE: 20200506: (lamby)
NOTE: 20200508: bam: Problem exists with new files only. Existing files
NOTE: 20200508: bam: code resets permissions to same value, should be fine.
NOTE: 20200508: bam: Upstream fix was to use 660 - https://github.com/ansible/ansible/pull/68970
NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
NOTE: 20201130: apo: I believe a partial update makes sense at the moment.
NOTE: 20201130: Not everything is clear and obvious thus fixing some CVE is
NOTE: 20201130: better than continue to ignore all of them.
NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
NOTE: 20200913: Patches prepared. Build in progress (hope this 45 G build goes fine). (ola)
NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
NOTE: 20200525: Fix: https://github.com/htcondor/htcondor/compare/V8_8_7...V8_8_8 (utkarsh)
NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk)
NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto)
NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto)
NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
--
f2fs-tools
NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to
NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver)
Chris Lamb
committed
golang-golang-x-net-dev
--
NOTE: 20201117: hold off the update until it's settled in unstable, at least.
NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! (utkarsh)
NOTE: 20201122: the patch is ready but after discussing with the security team, hold on
NOTE: 20201122: this update for 2 weeks to first let it land in buster. (utkarsh)
NOTE: 20201122: Utkarsh will upload once its confirmed that there is no regression
NOTE: 20201122: and is actively tracking it. (utkarsh)
NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby)
NOTE: 20201122: still waiting to hear from upstream. (utkarsh)
--
NOTE: 20201115: No patch yet; unsure if version in LTS is vulnerable. (lamby)
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith)
NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them.
NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh)
NOTE: 20201122: regression noticed; let the fix be exposed in sid for a week or two. (utkarsh)
Chris Lamb
committed
--
opendmarc
NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
pacemaker (Markus Koschany)
NOTE: 20201117: See #974563 for further information.
NOTE: 20201130: I will ask the other bug reporters for feedback and testing
NOTE: 20201130: in #974563. The update itself looks good to me.
NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver)
NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver)
--
pluxml
NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith)
--
NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh)
Chris Lamb
committed
ruby-actionpack-page-caching
NOTE: 20200819: Upstream's patch on does not apply due to subsequent
NOTE: 20200819: refactoring. However, a quick look at the private
NOTE: 20200819: page_cache_file method suggests that the issue exists, as it
NOTE: 20200819: uses the path without normalising any "../" etc., simply
NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
--
ruby-doorkeeper
NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh)
NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh)
NOTE: 20200831: more investigation needed. (utkarsh)
NOTE: 20201009: on another note, it needs more investigation if this version is affected in
NOTE: 20201009: the first place or not. (utkarsh)
--
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the
NOTE: 20200819: @params.except(:script_name) line in any part of their history (although the
NOTE: 20200819: file has been refactored a few times). (lamby)
NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh)
NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh)
NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch
NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh)
--
NOTE: 20200928: Still awaiting reponse to request for assistance sent to upstream dev list. (roberto)
NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
NOTE: Upstream patch for CVE-2020-8608 requires patches for
NOTE: CVE-2020-7039 to be applied patched first, as they both patch
NOTE: the same lines of code in tcp_subr.c (bam).
snapd (Brian May)
NOTE: Needs rebuild for CVE-2019-11840 in golang-go.crypto.
NOTE: Problems with upload.
spice-vdagent (Abhijith PA)
NOTE: code base seems largely changed. Pinged upstream for help (abhijith)
--
spip
NOTE: Low priority for us. sec team did DSA-4798-1 (abhijith)
--
webcit (Markus Koschany)
NOTE: 20201130: Requested more information from upstream. Currently patches
NOTE: or workarounds are not available.
NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include
NOTE: 20201007: those fixes as well! \o/ (utkarsh)
NOTE: 20201108: 2.6.8-1.1 backported as first step
NOTE: 20201108: will try to update wireshark in the next
NOTE: 20201108: buster point release followed by another backport (bunk)
NOTE: 20201123: NMU for unstable prepared as first step (bunk)
NOTE: 20201129: buster-pu in #975932, will backport when in buster (bunk)
NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch
NOTE: 20200414: from 20200111 as incomplete, but with suggestion on improvement. (lamby)
NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
NOTE: 20201122: wait for a while to get the fix exposed in other suites. (utkarsh)