An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- 389-ds-base (Mike Gabriel) NOTE: 20180810: Patch available at https://pagure.io/389-ds-base/issue/49789. NOTE: 20180810: See debian-lts post: https://lists.debian.org/debian-lts/2018/08/msg00023.html -- bind9 (Thorsten Alteholz) -- enigmail NOTE: 20180603: Commits between https://sourceforge.net/p/enigmail/source/ci/f6c111 (abhijith) NOTE: 20180603: and https://sourceforge.net/p/enigmail/source/ci/d2a83a might be useful. (abhijith) -- evolution -- firefox-esr (Emilio Pozuelo) NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 goes EOL. NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need some work. -- gdm3 (Markus Koschany) -- git-annex NOTE: 20180710: See #903037 for more information and a fix for Stretch. NOTE: 20180710: See debian-lts post: https://lists.debian.org/debian-lts/2018/07/msg00063.html -- intel-microcode (Santiago) -- jetty (Hugo Lefeuvre) NOTE: 20180702: jetty8 almost never marked as affected whereas jetty and jetty9 are. Reason ? NOTE: 20180702: CVE-2018-12536 fixed in latest upstream release. Looks like upstream NOTE: 20180702: voluntarily obfuscated the issue (fix hidden in unrelated changes). NOTE: 20180702: Fix (9.4.x): a51920d650d924cc2cea011995624b394437c6e0 NOTE: 20180702: (9.3.x): 53e8bc2a636707e896fd106fbee3596823c2cdc9 (closer to Debian versions) NOTE: 20180702: check before putting in the tracker. NOTE: 20180702: jetty: doesn't seem to be affected (Wheezy + Jessie) NOTE: 20180702: jetty8: still need to check (Wheezy + Jessie) NOTE: 20180702: jetty9: affected, will provide patches for stretch and testing NOTE: 20180716: can't reproduce CVE-2018-12536, e-mailed upstream for more information -- jetty8 (Hugo Lefeuvre) -- kdepim -- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: 20180118: It is unlikely that he will start again in the next weeks. NOTE: 20180118: I am currently working on CVE triage but I will not be able to process the whole backlog until May. NOTE: 20180529: Help is welcome, feel free to mail Hugo. Still up-to-date. Help needed for CVE triage and patch development. NOTE: 20180529: Just contacted some of the CVE reporters to ask for the reproducers, CC-ed team ML. -- libextractor (Chris Lamb) -- libgit2 (Thorsten Alteholz) -- libspring-java (Abhijith PA) -- libspring-security-2.0-java NOTE: 20180727: Same as libspring-java? (lamby) -- libxml2 (Thorsten Alteholz) NOTE: 20180720: There are many open CVEs marked as for jessie and stretch. NOTE: 20180720: My sense is that someone should go over them and fix those that are fixable. -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- mariadb-10.0 -- mosquitto NOTE: 20180629: there are still two CVEs open, their upstream bugs show no progress -- mysql-5.5 (Emilio Pozuelo) -- openjdk-7 (Emilio Pozuelo) -- openjpeg2 NOTE: 20180719: there is no patch available for the remaining CVEs -- openssh (Chris Lamb) -- otrs2 (Markus Koschany) -- php5 (Roberto C. Sánchez) -- phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done -- qemu (Santiago) -- ruby2.1 -- samba (Holger Levsen) -- spice NOTE: 20180819: Patch is possibly incomplete. See http://www.openwall.com/lists/oss-security/2018/08/17/2 (Brian May) -- spice-gtk NOTE: 20180819: Patch is possibly incomplete. See http://www.openwall.com/lists/oss-security/2018/08/17/2 (Brian May) -- squirrelmail -- suricata -- symfony NOTE: 20180630: email sent to maintainer, please wait some time before working on this package (Thorsten Alteholz)) -- thunderbird -- tiff NOTE: 20180816: See debian-lts post: https://lists.debian.org/debian-lts/2018/08/msg00036.html (Brian May) -- tomcat-native (Markus Koschany) -- tomcat8 (Roberto C. Sánchez) -- twig (Abhijith PA) -- twitter-bootstrap NOTE: See debian-lts post: https://lists.debian.org/debian-lts/2018/08/msg00010.html -- twitter-bootstrap3 NOTE: See debian-lts post: https://lists.debian.org/debian-lts/2018/08/msg00010.html -- xen (Emilio Pozuelo) --