An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- axis -- checkstyle (Adrian Bunk) NOTE: CVE-2019-9658: changes appear to involve compatibility breakage, handle with care. NOTE: CVE-2019-9658: removal of DTDs from http://checkstyle.sourceforge.net and NOTE: CVE-2019-9658: http://puppycrawl.com/ might affect the validity of our default config NOTE: CVE-2019-9658: so depending of the impact this might require a jessie update NOTE: 20190413: work ongoing -- clamav (Ola Lundqvist) NOTE: 20190415: The package from stable should be backported but there are NOTE: 20190415: quite a few (likely) backwards compatibility issues to NOTE: 20190415: resolve. -- claws-mail NOTE: 20190408: patch not yet available -- evolution (Jonas Meurer) NOTE: 20190418: working on it, but needs more debugging -- evolution-data-server (Jonas Meurer) NOTE: 20190418: working on it, but needs more debugging -- evolution-ews -- faad2 (Hugo Lefeuvre) NOTE: 20190412: both patches for CVE-2018-20362 and CVE-2018-20194 merged by upstream. NOTE: need to check which other issues have been addressed by these fixes + one more NOTE: patch and we will be fit for upload. -- ghostscript (Sylvain Beucler) NOTE: 20190327: https://lists.debian.org/debian-lts/2019/03/msg00122.html NOTE: 20190409: will backport 9.27 following stable-security (cf. dsa-needed.txt) -- gpac (Thorsten Alteholz) -- gradle NOTE: 20190412: unless you believe http->https would cause significant breakage; NOTE: 20190412: ajax.googleapis.com's SSL cert appears well supported in jessie -- hdf5 (Hugo Lefeuvre) NOTE: requires some prior triage, almost all cves undetermined. NOTE: contacted hdf5 upstream, received information, currently updating the tracker. NOTE: CVE-2018-17432: Upstream claims to have fixed this in 1.10.5 (issue HDF-10590) NOTE: but not mentioned in release notes + no commit directly mentioning the issue NOTE: -> ask them for more information. -- imagemagick (Roberto C. Sánchez) NOTE: 20181227: We should address the many open issues in imagemagick either NOTE: by patching them separetely as we did in Wheezy or by updating to a NOTE: new upstream version like the security team did with Graphicsmagick in NOTE: Stretch. (apo) NOTE: 20190408: Still waiting on security team response to inquiries from (apo) and (roberto) -- jinja2 (Hugo Lefeuvre) NOTE: 20190416: https://lists.debian.org/debian-lts/2019/04/msg00107.html -- jruby -- libav NOTE: 20190401: There are currently 20 CVE issues known for libav in jessie, NOTE: 20190401: 11 tagged as . These issues have been triaged, no patch NOTE: 20190401: has been found, so far. If you pick libav, be prepared to work NOTE: 20190401: out patches yourself. -- liblivemedia (Hugo Lefeuvre) NOTE: 20190416: CVE-2019-773{2,3}: wait for upstream patch - hle NOTE: not sure upstream is actually aware of these issues, probably need to NOTE: contact them. -- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. NOTE: 20190413: work ongoing -- libspring-security-2.0-java -- libvirt (Brian May) NOTE: 20190416: CVE-2019-3886 is for virDomainGetHostname. Jessie is OK. NOTE: 20190416: Attempting to get new CVE for issue with virDomainGetTime. NOTE: See thread https://lists.debian.org/debian-lts/2019/04/msg00061.html -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- polarssl NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) -- poppler NOTE: 20190408: No known upstream patches available for remaining open CVEs (sunweaver) -- putty (Thorsten Alteholz) NOTE: 20190407: stick to Stretch patches -- python-urllib3 (Roberto C. Sánchez) NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) -- python2.7 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and CVE-2019-9636 NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) -- python3.4 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647 and CVE-2019-9636 NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) -- qemu (Emilio) NOTE: CVE-2018-19665: wait for final patch -- qt4-x11 NOTE: dla-1627 (Qt5) to apply to Qt4 as well NOTE: CVE-2018-19872 id. while we're at it (minor) -- sox NOTE: 20190416: CVE-2019-835{4,5,6,7} no upstream patch yet, might take some time. NOTE: Check again later. - hle -- systemd (Mike Gabriel) NOTE: 20190409: At first glance, most CVE patches seem highly intrusive, thus not NOTE: 20190409: easily backportable to system in jessie. -- wget (Thorsten Alteholz) NOTE: test package -- wireshark (Hugo Lefeuvre) -- wordpress NOTE: 20190401: remaining one issue (CVE-2019-8943). Waiting for upstream patch (abhijith) -- wpa -- xen (worked on by credativ) --