Hello everyone, The Security Team has supplied a list of packages/CVEs which were fixed by DLA (some in bullseye and some in buster) but which remain unfixed in bookworm (and which are tagged no-dsa, indicating that the Security Team has no immediate plans to address them).
Based on this information, I have created issues in Salsa (in the lts-team/lts-updates-tasks project) to track necessary updates. Depending on the specific package and CVEs, some only require coordination with SRM and the maintainer for a proposed-update to fix the applicable CVEs, while others require a bullseye DLA, and a few require both. I have done my best to carefully document for each package the CVE(s) which are involved. In the cases where a bullseye DLA is needed, I have also added the package to dla-needed.txt (along with a link to the related Salsa issue). For packages which were last updated in 2024, I have gone ahead and assigned the issue in Salsa to the same individual that prepared the last DLA. For older DLAs I did not do this, but rather tagged the individual or individuals who prepared the applicable DLAs. All of that said, these updates are fair game for anyone, so if you are interested in working on one and the issue is already assigned, contact the assigned individual and workout a change of assignment. If you have any questions, please let me know. Regards, -Roberto -- Roberto C. Sánchez
