Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
Commits: e821dc95 by Ola Lundqvist at 2019-10-24T13:41:42Z All the hdf5 issues are DoS class vulnerabilities and marked as no-dsa for buster and stretch. There is no need to fix it for jessie in this case and historically it has not been done for this package either. Marking the CVEs as ignored and removing from dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -28453,12 +28453,14 @@ CVE-2019-9152 (An issue was discovered in the HDF HDF5 1.10.4 library. There is - hdf5 <unfixed> [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul8 NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10719 CVE-2019-9151 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) - hdf5 <unfixed> [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul7 NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10718 CVE-2019-9150 (Mailvelope prior to 3.3.0 does not require user interaction to import ...) @@ -30500,6 +30502,7 @@ CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is - hdf5 <unfixed> [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5 NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10711 CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 ...) @@ -58635,6 +58638,7 @@ CVE-2018-17438 (A SIGFPE signal is raised in the function H5D__select_io() of H5 - hdf5 <unfixed> (low) [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_h5d__select_io_h5dselect NOTE: https://jira.hdfgroup.org/browse/HDFFV-10587 NOTE: fix in develop branch: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/7add52ff4f2443357648d53d52add274d1b18b5f @@ -58643,6 +58647,7 @@ CVE-2018-17437 (Memory leak in the H5O_dtype_decode_helper() function in H5Odtyp - hdf5 <unfixed> (low) [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#memory-leak-in-h5o_dtype_decode_helper NOTE: https://jira.hdfgroup.org/browse/HDFFV-10588 NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt @@ -58659,6 +58664,7 @@ CVE-2018-17434 (A SIGFPE signal is raised in the function apply_filters() of h5r - hdf5 <unfixed> (low) [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters NOTE: https://jira.hdfgroup.org/browse/HDFFV-10586 NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt @@ -58671,6 +58677,7 @@ CVE-2018-17432 (A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace - hdf5 <unfixed> [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln6#null-pointer-dereference-in-h5o_sdspace_encode NOTE: upstream bug tracker (not public): https://jira.hdfgroup.org/browse/HDFFV-10590 NOTE: fix planned for HDF5-1.10.6 (will also be backported to HDF5-1.8) @@ -59096,6 +59103,7 @@ CVE-2018-17237 (A SIGFPE signal is raised in the function H5D__chunk_set_info_re - hdf5 <unfixed> (low) [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero NOTE: https://jira.hdfgroup.org/browse/HDFFV-10571 (not public) NOTE: does not appear in 1.10.5 release notes, but fixed in @@ -59114,6 +59122,7 @@ CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache - hdf5 <unfixed> (low) [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln3#memory-leak---h5o__chunk_deserialize_memory_leak NOTE: https://jira.hdfgroup.org/browse/HDFFV-10578 (not public) NOTE: does not appear in 1.10.5 release notes, but fixed in @@ -59123,6 +59132,7 @@ CVE-2018-17233 (A SIGFPE signal is raised in the function H5D__create_chunk_file - hdf5 <unfixed> (low) [buster] - hdf5 <no-dsa> (Minor issue) [stretch] - hdf5 <no-dsa> (Minor issue) + [jessie] - hdf5 <ignored> (Minor issue) NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln2#divided-by-zero---h5d__create_chunk_file_map_hyper_div_zero NOTE: https://jira.hdfgroup.org/browse/HDFFV-10577 NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt ===================================== data/dla-needed.txt ===================================== @@ -28,11 +28,6 @@ freeimage (Hugo Lefeuvre) -- gdal (Utkarsh Gupta) -- -hdf5 - NOTE: 20191015: Upstream is aware of currently open issues. Progress is slow, - NOTE: wait for the next HDF5 point release and either do full package upgrade - NOTE: or cherry pick fixes (hle) --- ibus NOTE: 20191020: Fix for regression in KDE apps still not available (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e821dc95d183520d41bc461606626d3813d7aac7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e821dc95d183520d41bc461606626d3813d7aac7 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits