[Git][security-tracker-team/security-tracker][master] All the hdf5 issues are DoS class vulnerabilities and marked as no-dsa for...

Thu, 24 Oct 2019 06:42:33 -0700 


Ola Lundqvist pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e821dc95 by Ola Lundqvist at 2019-10-24T13:41:42Z
All the hdf5 issues are DoS class vulnerabilities and marked as no-dsa for 
buster and stretch. There is no need to fix it for jessie in this case and 
historically it has not been done for this package either. Marking the CVEs as 
ignored and removing from dla-needed.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -28453,12 +28453,14 @@ CVE-2019-9152 (An issue was discovered in the HDF 
HDF5 1.10.4 library. There is
        - hdf5 <unfixed>
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul8
        NOTE: issue in upstream bug tracker: 
https://jira.hdfgroup.org/browse/HDFFV-10719
 CVE-2019-9151 (An issue was discovered in the HDF HDF5 1.10.4 library. There 
is an ou ...)
        - hdf5 <unfixed>
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul7
        NOTE: issue in upstream bug tracker: 
https://jira.hdfgroup.org/browse/HDFFV-10718
 CVE-2019-9150 (Mailvelope prior to 3.3.0 does not require user interaction to 
import  ...)
@@ -30500,6 +30502,7 @@ CVE-2019-8397 (An issue was discovered in the HDF HDF5 
1.10.4 library. There is
        - hdf5 <unfixed>
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5
        NOTE: issue in upstream bug tracker: 
https://jira.hdfgroup.org/browse/HDFFV-10711
 CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the 
HDF HDF5 ...)
@@ -58635,6 +58638,7 @@ CVE-2018-17438 (A SIGFPE signal is raised in the 
function H5D__select_io() of H5
        - hdf5 <unfixed> (low)
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: 
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_h5d__select_io_h5dselect
        NOTE: https://jira.hdfgroup.org/browse/HDFFV-10587
        NOTE: fix in develop branch: 
https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/7add52ff4f2443357648d53d52add274d1b18b5f
@@ -58643,6 +58647,7 @@ CVE-2018-17437 (Memory leak in the 
H5O_dtype_decode_helper() function in H5Odtyp
        - hdf5 <unfixed> (low)
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: 
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#memory-leak-in-h5o_dtype_decode_helper
        NOTE: https://jira.hdfgroup.org/browse/HDFFV-10588
        NOTE: fixed in 1.10.5, release notes: 
https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt
@@ -58659,6 +58664,7 @@ CVE-2018-17434 (A SIGFPE signal is raised in the 
function apply_filters() of h5r
        - hdf5 <unfixed> (low)
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: 
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters
        NOTE: https://jira.hdfgroup.org/browse/HDFFV-10586
        NOTE: fixed in 1.10.5, release notes: 
https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt
@@ -58671,6 +58677,7 @@ CVE-2018-17432 (A NULL pointer dereference in 
H5O_sdspace_encode() in H5Osdspace
        - hdf5 <unfixed>
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: 
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln6#null-pointer-dereference-in-h5o_sdspace_encode
        NOTE: upstream bug tracker (not public): 
https://jira.hdfgroup.org/browse/HDFFV-10590
        NOTE: fix planned for HDF5-1.10.6 (will also be backported to HDF5-1.8)
@@ -59096,6 +59103,7 @@ CVE-2018-17237 (A SIGFPE signal is raised in the 
function H5D__chunk_set_info_re
        - hdf5 <unfixed> (low)
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: 
https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero
        NOTE: https://jira.hdfgroup.org/browse/HDFFV-10571 (not public)
        NOTE: does not appear in 1.10.5 release notes, but fixed in
@@ -59114,6 +59122,7 @@ CVE-2018-17234 (Memory leak in the 
H5O__chunk_deserialize() function in H5Ocache
        - hdf5 <unfixed> (low)
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: 
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln3#memory-leak---h5o__chunk_deserialize_memory_leak
        NOTE: https://jira.hdfgroup.org/browse/HDFFV-10578 (not public)
        NOTE: does not appear in 1.10.5 release notes, but fixed in
@@ -59123,6 +59132,7 @@ CVE-2018-17233 (A SIGFPE signal is raised in the 
function H5D__create_chunk_file
        - hdf5 <unfixed> (low)
        [buster] - hdf5 <no-dsa> (Minor issue)
        [stretch] - hdf5 <no-dsa> (Minor issue)
+       [jessie] - hdf5 <ignored> (Minor issue)
        NOTE: 
https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln2#divided-by-zero---h5d__create_chunk_file_map_hyper_div_zero
        NOTE: https://jira.hdfgroup.org/browse/HDFFV-10577
        NOTE: fixed in 1.10.5, release notes: 
https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt


=====================================
data/dla-needed.txt
=====================================
@@ -28,11 +28,6 @@ freeimage (Hugo Lefeuvre)
 --
 gdal (Utkarsh Gupta)
 --
-hdf5
-  NOTE: 20191015: Upstream is aware of currently open issues. Progress is slow,
-  NOTE: wait for the next HDF5 point release and either do full package upgrade
-  NOTE: or cherry pick fixes (hle)
---
 ibus
   NOTE: 20191020: Fix for regression in KDE apps still not available (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e821dc95d183520d41bc461606626d3813d7aac7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e821dc95d183520d41bc461606626d3813d7aac7
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to