Hi, I tried to find all the affected packages, but there is no guarantee that the following list is complete. ;-)
These packages are out-of-sync since they have a version in jessie-lts (or earlier -lts) that is newer than in the subsequent release(s): * libpam-tacplus https://bugs.debian.org/962830 CVE-2020-13881 1.3.8-2+deb8u1 in jessie-lts 1.3.8-2 in stretch/buster/sid libpam-tacplus | 1.3.6-1 | wheezy | source, amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc libpam-tacplus | 1.3.8-2 | jessie | source, amd64, armel, armhf, i386 libpam-tacplus | 1.3.8-2 | stretch | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x libpam-tacplus | 1.3.8-2 | buster | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x libpam-tacplus | 1.3.8-2 | sid | source libpam-tacplus | 1.3.8-2+b1 | sid | amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x libpam-tacplus | 1.3.8-2+deb8u1 | jessie-security | source, amd64, armel, armhf, i386 * pyxdg https://bugs.debian.org/930099 CVE-2019-12761 0.25-4+deb8u1 in jessie-lts 0.25-4 in stretch 0.25-5 in buster does not have the CVE-2019-12761 fix pyxdg | 0.19-2 | squeeze | source pyxdg | 0.19-5 | wheezy | source pyxdg | 0.25-4 | jessie | source pyxdg | 0.25-4 | stretch | source pyxdg | 0.25-4+deb8u1 | jessie-kfreebsd-security | source pyxdg | 0.25-4+deb8u1 | jessie-security | source pyxdg | 0.25-5 | buster | source pyxdg | 0.27-2 | bullseye | source pyxdg | 0.27-2 | sid | source * libkohana2-php (no bug) CVE-2016-10510 2.3.4-2+deb7u1 in wheezy-lts 2.3.4-2 in jessie libkohana2-php | 2.3.4-1~bpo60+1 | squeeze-backports | all libkohana2-php | 2.3.4-2 | wheezy | source, all libkohana2-php | 2.3.4-2 | jessie | source, all libkohana2-php | 2.3.4-2+deb7u1 | wheezy-security | source, all * usermode https://bugs.debian.org/991808 1.109-1+deb7u2 in wheezy-lts 1.109-1 in jessie 1.109-1 in stretch usermode | 1.109-1 | wheezy | source, amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc usermode | 1.109-1 | jessie | source, amd64, armel, armhf, i386 usermode | 1.109-1 | stretch | source usermode | 1.109-1+b2 | stretch | amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x usermode | 1.109-1+deb7u2 | wheezy-security | source, amd64, armel, armhf, i386 usermode | 1.109-3 | buster | source, amd64, arm64, armel, armhf, i386, mips, mips64el, mipsel, ppc64el, s390x usermode | 1.113-4 | bullseye | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x usermode | 1.113-4 | sid | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x usermode | 1.114-2 | experimental | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x * postgresql-9.1 (no bug) 9.1.24lts2-0+deb7u2 in wheezy-lts 9.1.22-0+deb8u1 in jessie src:postgresql-9.1 in jessie only builds the postgresql-plperl-9.1 binary which is out-of sync (anything else is built from src:postgresql-9.4) postgresql-plperl-9.1 | 9.1.16-0+deb8u1 | jessie-kfreebsd-security | kfreebsd-amd64, kfreebsd-i386 postgresql-plperl-9.1 | 9.1.16-0+deb8u1 | jessie-security | amd64, armel, armhf, i386 postgresql-plperl-9.1 | 9.1.21-0+deb7u1 | wheezy | amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc postgresql-plperl-9.1 | 9.1.22-0+deb8u1 | jessie | amd64, armel, armhf, i386 postgresql-plperl-9.1 | 9.1.24lts2-0+deb7u2 | wheezy-security | amd64, armel, armhf, i386 And while we are at it: * rust-doc in stretch-lts (and jessie-lts) is not installable since it depends on the unavailable fonts-open-sans https://bugs.debian.org/928422 Please get the missing fixes into stretch-lts. Is jessie-lts still open? If it is still possible to fix the issues there, too, getting the fixes into jessie-lts would be nice. Thanks! Andreas
