An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- 389-ds-base -- ansible (Abhijith PA) NOTE: Consider fixing no-dsa issues which were never fixed via a point release -- bouncycastle (Markus Koschany) -- ca-certificates NOTE: 20180531: check if we need to perform an update before wheezy is EOL (anarcat) NOTE: 20180601: Will keep this open and check for jessie now. (lamby) -- enigmail NOTE: 20180603: Commits between https://sourceforge.net/p/enigmail/source/ci/f6c111 (abhijith) NOTE: 20180603: and https://sourceforge.net/p/enigmail/source/ci/d2a83a might be useful. (abhijith) -- evolution -- firefox-esr (Emilio Pozuelo) NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 goes EOL. NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need some work. -- git -- graphicsmagick (Markus Koschany) -- kdepim -- kf5-messagelib NOTE: 20180623: efail-related (lamby) -- kmail -- lava-server (Thorsten Alteholz) NOTE: get_remote_definition is get_remote_json in this version -- lame (Hugo Lefeuvre) NOTE: 20180529: Tested patch ready for upload. Waiting for feedback from the security team. NOTE: See https://lists.debian.org/debian-lts/2018/05/msg00081.html -- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: 20180118: It is unlikely that he will start again in the next weeks. NOTE: 20180118: I am currently working on CVE triage but I will not be able to process the whole backlog until May. NOTE: 20180529: Help is welcome, feel free to mail Hugo. Still up-to-date. Help needed for CVE triage and patch development. NOTE: 20180529: Just contacted some of the CVE reporters to ask for the reproducers, CC-ed team ML. -- libgcrypt20 (Emilio Pozuelo) -- libidn (Santiago) NOTE: 20160622: Markus reports that Santiago has proposed an update for this to the security team. (lamby) -- liblouis -- mariadb-10.0 (Emilio Pozuelo) -- mercurial (Thorsten Alteholz) -- ming (Hugo Lefeuvre) NOTE: 20180529: wip, currently working on it with upstream. Lots of fuzzing noise, NOTE: many duplicate issues. I'm currently working on the next upload, which will fix NOTE: another batch of CVEs. It will most likely not be ready until Wheezy EOL, but I NOTE: will upload it for ELTS. -- mosquitto (Thorsten Alteholz) -- php5 NOTE: The maintainer, Ondřej Surý, was working on an update but has not NOTE: finished it yet. NOTE: 20180622: Maintainer will not update php5 for LTS. https://lists.debian.org/debian-lts/2018/06/msg00074.html (abhijith) -- phpmyadmin (Abhijith PA) -- qemu -- thunderbird (Emilio Pozuelo) -- tiff3 (Holger Levsen) -- tomcat7 (Markus Koschany) -- tomcat8 -- xen (Emilio Pozuelo) --