An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- cairo NOTE: 20181024: No fix available yet. (ola) -- enigmail NOTE: 20181113: depends on gnupg2 updates, see 87r2fqnja0.fsf@curie.anarc.at (anarcat) -- exiv2 (Thorsten Alteholz) NOTE: 20181202: also recheck other CVEs (Thorsten) -- firefox-esr (Emilio Pozuelo) -- freerdp (Mike Gabriel) NOTE: 20181202: Mike is uploader, so he should probably take this. (Thorsten) NOTE: 20181203: freerdp (v1.1) is a mostly unmaintained branch upstream. I will ask upstream NOTE: 20181203: about possibility of paid patch backporting. FreeRDP is a fast moving target NOTE: 20181203: and most patches don't apply anymore. Furthermore, FreeRDP v1.1 does not work NOTE: 20181203: with recent Windows RDP servers anymore (proto / crypto changes on the Microsoft NOTE: 20181203: side). Other option: backport FreeRDPv2 to jessie (and stretch first). NOTE: 20181205: Phone call with Bernhard Miklautz (FreeRDP upstream). It is possible to get FreeRDP NOTE: 20181205: v1.1 functional again. He will go over the required patches and we aim at NOTE: 20181205: updating the github.com/FreeRDP/FreeRDP 1.1 branch that contains all the NOTE: 20181205: patches needed for producing a secured and functional stretch-security and jessie-security NOTE: 20181205: upload package. -- ghostscript (Lucas Kanashiro) -- jasper -- libapache-mod-jk (Roberto C. Sánchez) NOTE: 20181123: Packages ready, testing complete, waiting on security team feedback, NOTE: 20181123: as this work includes an updated package for stretch. (roberto) -- libav (Markus Koschany, Mike Gabriel) NOTE: 20181129: More than one contributor can work on libav at the same time. NOTE: 20181129: First priority should be to find more information about the NOTE: 20181129: "undetermined" issues. Then we can decide what CVE should be fixed ASAP. NOTE: 20181130: Adding my self as co-worker. Coordination of CVEs to be worked on: IRC NOTE: 20181130: #debian-lts. NOTE: 20181130: CVE-2015-6761: patch available, issue non-reproducible, vulnerable (maybe: not-affected instead) NOTE: 20181130: CVE-2015-6818: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-6820: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-6821: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-6822: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-6823: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-6824: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-6825: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-6826: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-8216: patch available (does not apply cleanly), issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-8217: similar patch applied, issue untested, not-affected (@apo: please double-check) NOTE: 20181130: CVE-2015-8219: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-8363: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-8364: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-8661: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-8662: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2015-8663: patch available (needs manual work), issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2016-10190: patch available (might need manual work), issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2016-10191: patch available, issue untested (no PoC), vulnerable NOTE: 20181130: CVE-2016-10192: vulnerable code not present (only in ffmpeg) NOTE: 20181130: CVE-2016-5115: patch unavailable (needs revisiting), issue reproducible, no-dsa (needs revisiting) NOTE: 20181206: CVE-2016-5199: vulnerable code (QuickTime Metadata Keys support) not present NOTE: 20181206: CVE-2016-9819: fix included, PoC available (needs testing), NOTE: 20181206: CVE-2016-9820: fix included, PoC available (needs testing), NOTE: 20181206: CVE-2016-9823: no patch available, PoC available (needs testing), currently NOTE: 20181206: CVE-2016-9824: no patch available, PoC available (needs testing), currently NOTE: 20181206: CVE-2016-9825: no patch available, PoC available (needs testing), currently NOTE: 20181206: CVE-2016-9826: no patch available, PoC available (needs testing), currently -- libsndfile (Hugo Lefeuvre) NOTE: 20181207: working on the next upload addressing older cves. NOTE: also: most new cves appear to be duplicates, working on triage -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- openjpeg2 (Hugo Lefeuvre) NOTE: working a second batch of patches to fix the remaining issues worth taking time. NOTE: The rest will wait for upstream patches/no-dsa -- pdns (Abhijith PA) NOTE: 20181203: Upstream fix contain C++11 standard code. Ported one patch. One more left -- pdns-recursor (Abhijith PA) NOTE: 20181203: Affected by same vulnerability as pdns -- php5 (Roberto C. Sánchez) NOTE: 20181210: Upstream released 5.6.39 just a few days ago, that version will be packaged (roberto) -- polarssl NOTE: 20121207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby) -- policykit-1 (Santiago) NOTE: 20181207: jessie vulnerable to CVE-2018-19788? unable to reproduce systemctl poc -- qemu -- qtsvg-opensource-src NOTE: 20181210: Needs more investigation around related packages/upstream etc. (lamby) -- samba (Emilio Pozuelo) NOTE: 20181203: regression in upstream fix, waiting for confirmed regression fix -- sleuthkit NOTE: 20181129: seem to be more problems than mentioned in the CVE if nodesize == rec_off or (rec_off + keylen) == nodesize (Thorsten) -- symfony (Roberto C. Sánchez) -- systemd NOTE: 20181119: tmpfiles.d issues remain, fix invasive, consider backporting all of tmpfiles.c (anarcat) -- tiff (Hugo Lefeuvre) NOTE: CVE-2018-19210: Working on a patch, see https://gitlab.com/libtiff/libtiff/merge_requests/47 NOTE: CVE-2018-19210: 20181207: still waiting for feedback from upstream NOTE: CVE-2018-18661: Easy to patch, but unable to reproduce the error. NOTE: CVE-2018-18661: Not possible to prove it fixes the specified vulnerability. NOTE: CVE-2018-18661: See thread starting at https://lists.debian.org/debian-lts/2018/11/msg00033.html -- uw-imap (Roberto C. Sánchez) NOTE: Related to php5 issues -- wireshark (Thorsten Alteholz) -- xen --