A wheezy-lts security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) -- cacti NOTE: 20180419: Only few commits apply to the Wheezy version so there is NOTE: probably less to fix than it looks like (apo) -- calibre NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking (apo) NOTE: 20180321: completely and invest the time to fix the Jessie version instead? (apo) -- cups NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz) -- firebird2.5 NOTE: 20180411: no fix available upstream for CVE-2017-11509 NOTE: 20180412: see https://gist.github.com/lamby/e0db9370bad433e949d70663cef533da/raw (lamby) -- gcc-4.9 (Roberto C. Sánchez, Ben Hutchings) NOTE: 20180215: Backport the retpoline support for spectre mitigation. (buxy) NOTE: 20180215: Coordinate with jmm who started the work for gcc-4.9 in jessie. (buxy) NOTE: 20180416: We're now working on adding gcc-4.9 instead of backporting NOTE: 20180416: retpoline to older compiler versions. (benh) NOTE: 20180416: The backported package will be renamed as it has to be NOTE: 20180416: packaged differently to avoid conflicts with gcc-4.7. (benh) -- ghostscript (Markus Koschany) -- glusterfs NOTE: 20180419: Maintainer not contacted yet because issue is too new. Patch NOTE: does not apply cleanly in Wheezy. (apo) -- imagemagick NOTE: 20180417: Maybe wait for more issues or fix some no-dsa bugs or invest NOTE: the time to get Jessie into shape. (apo) -- krb5 NOTE: 20180131: lts-do-not-call NOTE: 20180411: Details not public yet. Security team in contact with upstream. (anarcat) NOTE: 20180411: See also https://lists.debian.org/msgid-search/20180208212643.GB7792@pisco.westfalen.local (anarcat) -- lame (Hugo Lefeuvre) NOTE: 20180317: Patch available and tested. However I am probably not going to upload it since the security team is not NOTE: interested in patching Jessie and I evaluate regression risks as non negligible. -- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: It is unlikely that he will start again in the next weeks. NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May. NOTE: Help is welcome, feel free to mail Hugo. -- libmad (Kurt Roeckx) -- libvorbis (anarcat) -- linux (Ben Hutchings) NOTE: 20180416: This depends on gcc-4.9 and linux-tools updates (benh) -- ming (Hugo Lefeuvre) NOTE: 20180317: wip, currently working on it with upstream. Since I have to write all patches by myself, it might take a while. -- ocaml (Abhijith PA) -- openjdk-7 (Emilio Pozuelo) -- ruby1.8 (Santiago R.R.) -- ruby1.9.1 (Santiago R.R.) NOTE: 20180402: Also vulnerable to CVE-2018-1000074. (lamby) -- slurm-llnl (Thorsten Alteholz) -- tiff (Hugo Lefeuvre) NOTE: 20180415: CVE-2018-8905 not reproducible in Wheezy/Jessie/Stretch (Buster only), NOTE: I'm still investigating the issue before I mark them not-affected. -- tiff3 (Hugo Lefeuvre) -- wireshark (Thorsten Alteholz) -- wordpress NOTE: 20180217: Upstream unsure how to fix CVE-2018-638 at the moment (lamby) NOTE: 20180221: Upstream still unsure how to fix CVE-2018-638 (lamby) NOTE: 20180311: Upstream still unsure how to fix CVE-2018-638. (lamby) NOTE: 20180415: (Other CVEs pending, however) (lamby) --