On 2018-03-09 12:47, Adrian Bunk wrote: > Control: retitle -1 cfitsio: vulnerabilities > Control: found -1 3.370-2 > > On Fri, Mar 09, 2018 at 09:56:39AM +0100, Ole Streicher wrote: > > Package: cfitsio > > Version: 3.420-3 > > Severity: grave > > Tags: security > > > > Hi, > > > > a new version of cfitsio just came out, accompanied with the following > > notice from upstream: > > > > The NASA security team requires the following warning to all users of > > CFITSIO: > > > > ===== > > The CFITSIO open source software project contains vulnerabilities > > that could allow a remote, unauthenticated attacker to take control > > of a server running the CFITSIO software. These vulnerabilities > > affect all servers and products running the CFITSIO software. > > > > The CFITSIO team has released software updates to address these > > vulnerabilities. There are no workarounds to address these > > vulnerabilities. In all cases, the CFITSIO team is recommending an > > immediate update to resolve the issues. > > ===== > > > > > > I didn't check the specific problem, but it may be important to upgrade. > > Even more important are DSAs backporting all required fixes (if any) to > stable and oldstable.
It's not clear what the security issue is. There is only this announce from NASA, and it's not track as a CVE. Looking at the diff there are many sprintf changed into snprintf, but I am not 100% sure it's the issue or the sole issue. Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
