Your message dated Fri, 10 Jul 2026 05:18:57 +0000
with message-id <[email protected]>
and subject line Bug#1123960: fixed in netcdf 1:4.10.1-1
has caused the Debian Bug report #1123960,
regarding netcdf: CVE-2025-14932 CVE-2025-14933 CVE-2025-14934 CVE-2025-14935
CVE-2025-14936
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123960: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123960
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: netcdf
Version: 1:4.9.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:netcdf-parallel 1:4.9.3-2
Control: retitle -2 netcdf-parallel: CVE-2025-14932 CVE-2025-14933
CVE-2025-14934 CVE-2025-14935 CVE-2025-14936
Hi,
The following vulnerabilities were published for netcdf.
The set of reports oginate from ZDI reports and it not very clear if
the issues will get fixed and have not found public upstream
references where they track those. So this might be a first step at
all to track these properly as well for us downstream. For now the CVE
entries just refernce to the published ZDI reports.
CVE-2025-14932[0]:
| NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote
| Code Execution Vulnerability. This vulnerability allows remote
| attackers to execute arbitrary code on affected installations of NSF
| Unidata NetCDF-C. User interaction is required to exploit this
| vulnerability in that the target must visit a malicious page or open
| a malicious file. The specific flaw exists within the parsing of
| time units. The issue results from the lack of proper validation of
| the length of user-supplied data prior to copying it to a fixed-
| length stack-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current user.
| Was ZDI-CAN-27273.
CVE-2025-14933[1]:
| NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code
| Execution Vulnerability. This vulnerability allows remote attackers
| to execute arbitrary code on affected installations of NSF Unidata
| NetCDF-C. User interaction is required to exploit this vulnerability
| in that the target must visit a malicious page or open a malicious
| file. The specific flaw exists within the parsing of NC variables.
| The issue results from the lack of proper validation of user-
| supplied data, which can result in an integer overflow before
| allocating a buffer. An attacker can leverage this vulnerability to
| execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934[2]:
| NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow
| Remote Code Execution Vulnerability. This vulnerability allows
| remote attackers to execute arbitrary code on affected installations
| of NSF Unidata NetCDF-C. User interaction is required to exploit
| this vulnerability in that the target must visit a malicious page or
| open a malicious file. The specific flaw exists within the parsing
| of variable names. The issue results from the lack of proper
| validation of the length of user-supplied data prior to copying it
| to a fixed-length stack-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current user.
| Was ZDI-CAN-27267.
CVE-2025-14935[3]:
| NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow
| Remote Code Execution Vulnerability. This vulnerability allows
| remote attackers to execute arbitrary code on affected installations
| of NSF Unidata NetCDF-C. User interaction is required to exploit
| this vulnerability in that the target must visit a malicious page or
| open a malicious file. The specific flaw exists within the parsing
| of dimension names. The issue results from the lack of proper
| validation of the length of user-supplied data prior to copying it
| to a fixed-length heap-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current user.
| Was ZDI-CAN-27168.
CVE-2025-14936[4]:
| NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow
| Remote Code Execution Vulnerability. This vulnerability allows
| remote attackers to execute arbitrary code on affected installations
| of NSF Unidata NetCDF-C. User interaction is required to exploit
| this vulnerability in that the target must visit a malicious page or
| open a malicious file. The specific flaw exists within the parsing
| of attribute names. The issue results from the lack of proper
| validation of the length of user-supplied data prior to copying it
| to a fixed-length stack-based buffer. An attacker can leverage this
| vulnerability to execute code in the context of the current user.
| Was ZDI-CAN-27269.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-14932
https://www.cve.org/CVERecord?id=CVE-2025-14932
[1] https://security-tracker.debian.org/tracker/CVE-2025-14933
https://www.cve.org/CVERecord?id=CVE-2025-14933
[2] https://security-tracker.debian.org/tracker/CVE-2025-14934
https://www.cve.org/CVERecord?id=CVE-2025-14934
[3] https://security-tracker.debian.org/tracker/CVE-2025-14935
https://www.cve.org/CVERecord?id=CVE-2025-14935
[4] https://security-tracker.debian.org/tracker/CVE-2025-14936
https://www.cve.org/CVERecord?id=CVE-2025-14936
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: netcdf
Source-Version: 1:4.10.1-1
Done: Bas Couwenberg <[email protected]>
We believe that the bug you reported is fixed in the latest version of
netcdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bas Couwenberg <[email protected]> (supplier of updated netcdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Jul 2026 06:26:47 +0200
Source: netcdf
Architecture: source
Version: 1:4.10.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian GIS Project <[email protected]>
Changed-By: Bas Couwenberg <[email protected]>
Closes: 1123960
Changes:
netcdf (1:4.10.1-1) unstable; urgency=high
.
* New upstream release.
Fixes: CVE-2025-14932, CVE-2025-14933, CVE-2025-14934,
CVE-2025-14935, CVE-2025-14936
(closes: #1123960)
* Bump Standards-Version to 4.7.4, no changes.
* Update copyright file.
* Refresh patches.
* Update symbols for 4.10.1.
Checksums-Sha1:
6e1b995a79f9235c9f6ff02a936d0d86a24c2f23 2362 netcdf_4.10.1-1.dsc
fb5b487f66ae12d81979c6fb558ef6deb7034633 25714348 netcdf_4.10.1.orig.tar.gz
8d431063893d450ae2255645ca272a3b211a0154 36000 netcdf_4.10.1-1.debian.tar.xz
51d57088fdd854b9e36a33b94b36dd8f8ec491c9 13453 netcdf_4.10.1-1_amd64.buildinfo
Checksums-Sha256:
9b5e4e9885302566162545acf0eafb3239e0543a70ca6768d0b7f503aed3482f 2362
netcdf_4.10.1-1.dsc
33c27231c478c3b35da7c7758fbdd02da1fe407abcb16ddfe195f69d164f930d 25714348
netcdf_4.10.1.orig.tar.gz
c8d2d9f977f2ba1b29cb27705f2b5e8fcbc77149f198406d00f93b6996b3cd56 36000
netcdf_4.10.1-1.debian.tar.xz
def0808f8c81554ab7375921b264a6db629f34bf4c49c2f2db3fb476a2c315fe 13453
netcdf_4.10.1-1_amd64.buildinfo
Files:
d0974d74e42c18f07e86d5eb4bc14b17 2362 science optional netcdf_4.10.1-1.dsc
9d56028b4032c67cd63b3cc5ae3e6b5f 25714348 science optional
netcdf_4.10.1.orig.tar.gz
808877bceb3c6f53f9686499b8b2bc0e 36000 science optional
netcdf_4.10.1-1.debian.tar.xz
fb66774c7fbc66db64e1634235762bcd 13453 science optional
netcdf_4.10.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEgYLeQXBWQI1hRlDRZ1DxCuiNSvEFAmpQe8MACgkQZ1DxCuiN
SvGCVxAAtEEiq1WTHcxKvnjUfi/BHLhPq+tIPXR3oT5Q1jPACJZ4hUnHJrCfcC7+
98agkrYex/AZrZCpo7yeYRHEbTWa8DFOvybhWb5fQhyJaoXneji1UhUGXVGcZ7Mg
HMnZ+rx8PUklPHJh75Go6k8y+gdY7TTE3gudtTZU7KxyUALaj1nx/SapYZpaawQ7
+dLtmPmBvOMb5kDW0LBf/uS1a9luFNB3Cy0ZWz9+6/Qv0N2Z3zzqSbbczOPfqwbc
ZKTubYFtD1yF88Em6owdM801VGIWSfy3QXoihudR94ogbglOZceU9Yygcu3TH8pO
4Tcg+gwaBCCkKUu1bwmlPKhe8oh0dpbW8gkx1hxvqQflu2mOZqkzzHdkW9IdFKYt
JqcqcR7RkQAHhfiQFN0wjnDGvLSQObvN47MaE3hjt4CKWF8R8Ebjj4ZibpAQ+Lds
hJGAgCMwTqop6f3OIL1t5weooBmkU0KLo0D06Jn2AXDL0z3yk2cM5tAveVQB9FlW
wz5f6pOwwiVi/pPREVsl0gHyu3nhSUvoDuVi5DXXdKYtoJxcL4mGla+f1VTVY13E
XQtaNbno9VmNWHLKRohngYzfcAMJFsHXy9F9eW1Zd4P6HkK3S0yfzmV8QX3X2bjt
BZv9Y3PtCEuoJz3aYVMy3IoSCr4loHvYni0gudOYim/LqUQu/co=
=ZXUa
-----END PGP SIGNATURE-----
pgpQUlV4M_Udv.pgp
Description: PGP signature
--- End Message ---