On Wed, Oct 08, 2025 at 08:47:40PM +0200, Jochen Sprickerhof wrote:
> * Holger Levsen <[email protected]> [2025-10-08 17:53]:
> > On Wed, Oct 08, 2025 at 04:50:14PM +0200, Jochen Sprickerhof wrote:
> > > Package: debian-security-support
> > > Severity: normal
> > > X-Debbugs-Cc: Debian Security Team <[email protected]>,
> > > [email protected]
> > >
> > > I propose to mark hdf5 as limited support in Debian 11 (bullseye).
> >
> > bullseye is under the realm on the LTS team, thus cc:ing them
> > with full quote.
> >
> > that said: hdf5 is also present in all our later suites, so why
> > only bullseye, but not forkytrixiebookwormsid?
>
> Probably makes sense for bookworm and maybe for trixie though issues are
> getting fixed in later releases so I don't think we should put it on limited
> support forever. But I am not part of the security team so would leave it to
> them to decide.
The whole premise of assigning CVE IDs to data parsing bugs in HDF seems flawed
to begin with. If you use untrusted scientific data, some random parsing bugs
are the least of your worries.
Cheers,
Moritz
