An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- 389-ds-base NOTE: 20180929: CVE-2018-14648: check, very few information at the moment (hle) -- clamav -- enigmail NOTE: 20180926: see 871s9fps8e.fsf@curie.anarc.at before working on this (anarcat) -- exiv2 (Roberto C. Sánchez) -- firefox-esr (Emilio Pozuelo) NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 goes EOL. NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need some work. -- firmware-nonfree NOTE: Perhaps this should be handled by or at least coordinated with Ben NOTE: Hutchings. The stretch-pu might be a good place to start the update. -- ghostscript (Markus Koschany) -- gnutls28 (Antoine Beaupre) NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (Chris Lamb) -- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: 20180118: It is unlikely that he will start again in the next weeks. NOTE: 20180118: I am currently working on CVE triage but I will not be able to process the whole backlog until May. (Hugo) NOTE: 20180529: Help is welcome, feel free to mail Hugo. Still up-to-date. Help needed for CVE triage and patch development. NOTE: 20180529: Just contacted some of the CVE reporters to ask for the reproducers, CC-ed team ML. -- libpdfbox-java (Chris Lamb) NOTE: 20181007: Can't find the upstream fixing commit atm (Chris Lamb) NOTE: 20181012: Have asked upstream for fixing commit (Chris Lamb) NOTE: 20181013: https://twitter.com/AndreasLehmi/status/1050787710942765056 (Chris Lamb) -- libspring-java (Abhijith PA) -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- moin (Markus Koschany) -- mono (Markus Koschany) -- mysql-5.5 (Emilio Pozuelo) -- nsis NOTE: 20181007: Windows installer, but issue was reported by gpg4win so NOTE: 20181007: likely affects UNIX systems. (Chris Lamb) -- openjdk-7 (Emilio Pozuelo) -- openjpeg2 (Hugo Lefeuvre) NOTE: 20180719: there is no patch available for the remaining CVEs -- paramiko NOTE: 20181010: Consider fixing no-dsa issue too. (apo) -- phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done -- poppler NOTE: 20180928: Consider fixing no-dsa/ignored bugs as well since this is NOTE: 20180928: frequently used package. -- salt NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be NOTE: 20180921: compromised first. But the security escalation effect can cause NOTE: 20180921: a lot of system compromised. (ola) -- smarty3 (Mike Gabriel) -- spamassassin NOTE: 20180925: maintainer suggests packaging 3.4.2 everywhere NOTE: 20180925: wait for feedback (anarcat) NOTE: 20180925: 20180920021632.5ak6iznomgw5qwzx@ctrl.internal.morgul.net -- symfony (Thorsten Alteholz) -- thunderbird (Emilio Pozuelo) -- wireshark (Thorsten Alteholz) -- xen NOTE: 20180928: credativ will look into this next week (anarcat) --