An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- cairo NOTE: 20190109: No fix available yet. (ola) -- ceph (Markus Koschany) -- drupal7 (Abhijith PA) NOTE: 20190203: For CVE-2019-6339 CVE-2018-1000888 in php-pear need a fix. I have uploaded drupal7 before. NOTE: 20190203: I will look in to it in this week itself(abhijith) -- elfutils (Thorsten Alteholz) NOTE: 20190210: also looking at no-dsa CVEs -- exiv2 (Thorsten Alteholz) -- faad2 (Hugo Lefeuvre) NOTE: 20190125: No known patch yet. Going to fix the most exploitable issues at first. NOTE: CVE-2018-20362: started to work on a patch. At first this issue appears to be a NOTE: small crasher but it appears to be a bad design issue, and many, many of the CVEs NOTE: reported for faad2 might very well just be other consequences of this same root issue. NOTE: This needs some more investigations. See upstream bug report. -- firmware-nonfree NOTE: needed by sponsors -- gnutls28 -- gpac NOTE: The package is not very popular so fix it as a low priority task. NOTE: We can consider to postpone it too. -- gsoap (Chris Lamb) NOTE: 20191502: Not planning on processing until upstream contacted, etc so taking lock just in case (see mailing list URL in data/CVE/list). -- imagemagick NOTE: 20181227: We should address the many open issues in imagemagick either NOTE: by patching them separetely as we did in Wheezy or by updating to a NOTE: new upstream version like the security team did with Graphicsmagick in NOTE: Stretch. (apo) -- jackson-databind NOTE: 20190210: fix for all the CVEs is to add entries to a blacklist NOTE: 20190210: this blacklist (class SubTypeValidator) is not available in Jessie NOTE: 20190210: should that be backported or the CVEs marked as no-dsa? -- libav (Mike Gabriel) NOTE: 20190131: Re-added after ~deb8u5 upload. Still not done, yet. -- liblivemedia -- libraw (Abhijith PA) NOTE: 20181222: As usual please consider to fix ignored/no-dsa issues too, NOTE: especially those that are still marked vulnerable in Stretch but also NOTE: the stack-based and heap-based overflow issues. (apo) NOTE: 20190114: Ton of issues, I couldn't reproduce most of them. CVE-2017-13735 NOTE: is reproducible even after upstream patch. NOTE: 20190202: Marked CVE-2017-14348, CVE-2018-20337, CVE-2018-20363, CVE-2018-20364 NOTE: and CVE-2018-20365 as no DSA. -- libsdl1.2 -- libsdl2 -- libsolv NOTE: 20191027: maintainer is Mike Gabriel -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- mysql-connector-python NOTE: 20190202: Oracle stuff. Details are not disclosed. Requires update to NOTE: supported version. -- nettle NOTE: 20190119: Prerequisite for gnutls28 being fixed. -- nss NOTE: 20181212: Bug report not public but it is likely that the package is vulnerable. Maintainer not contacted NOTE: 20181212: yet. Further investigation needed. NOTE: 20181217: Contacted Mozilla security with a request for access to the BZ issue. (roberto) NOTE: 20190121: If you intend to take up this package, please email me and I will provide a detailed summary of what has been done so far. (roberto) -- openjdk-7 (Emilio) -- openssh (Mike Gabriel) -- php5 (Roberto C. Sánchez) NOTE: 20190212: Updated package of 5.6.40 is ready (incorporating Abhijith PA's 5.6.39+dfsg-0+deb8u2 update as well). NOTE: 20190212: Waiting on CVE assignments from upstream. (roberto) -- phpmyadmin NOTE: CVE-2019-6798: SQL injection is serious but if you have been able to login as a crafted user NOTE: CVE-2019-6798: that is a more serious problem. The fix is simple so it can still be worth fixing NOTE: CVE-2019-6798: but it is not urgent. Do it together with CVE-2019-6799. -- polarssl NOTE: 20121207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) -- qemu (Hugo Lefeuvre) NOTE: CVE-2018-19665: working on a highly trimmed down version of upstream patch NOTE: CVE-2018-19665: also, current patch will not be merged by upstream, wait for updated version NOTE: CVE-2018-19665: see https://lists.debian.org/debian-lts/2019/01/msg00073.html NOTE: 20190129: working on a second upload addressing latest cves -- rdesktop (Emilio) NOTE: 20190211: coordinating update to 1.8.4 with sec-team -- rdflib NOTE: Maintainer not contacted. Follow the debian bug about status. This should probably be fixed. -- rssh (Antoine Beaupre) For regression / #921655, maintainer will/can prepare an update -- sox (Adrian) NOTE:20190202: Fixed in Buster, Stretch will be fixed via point update. Used NOTE: by sponsors. (apo) -- sssd -- symfony (Roberto C. Sánchez) NOTE: 20190128: Working on resolving FTFBS with feedback received from mailing list (roberto) -- systemd NOTE: 20181119: tmpfiles.d issues remain, fix invasive, consider backporting all of tmpfiles.c (anarcat) -- thunderbird (Emilio) NOTE: 20190211: waiting for stretch update -- tiff (Brian May) NOTE: CVE-2018-19210: https://gitlab.com/libtiff/libtiff/commit/d0a842c5dbad2609aed43c701a12ed12461d3405 NOTE: CVE-2018-19210: https://gitlab.com/libtiff/libtiff/commit/38ede78b13810ff0fa8e61f86ef9aa0ab2964668 NOTE: CVE-2018-5360: 20181219: asked for cve update as duplicate of CVE-2014-8127 (hle) NOTE: CVE-2018-18661: Easy to patch, but unable to reproduce the error. (bam) NOTE: CVE-2018-18661: Not possible to prove it fixes the specified vulnerability. (bam) NOTE: CVE-2018-18661: See thread starting at https://lists.debian.org/debian-lts/2018/11/msg00033.html (bam) -- uriparser (Thorsten Alteholz) NOTE: 20190210: looking for testsuite package -- uw-imap (Roberto C. Sánchez) NOTE: 20190128: Still on hold pending response from maintainer, c.f. #914632 (roberto) -- xen (worked on by credative) --