[Debian-astro-maintainers] Bug#892458: Security: please consider upgrade to 3.43(0)
Aurelien Jarno
aurelien at aurel32.net
Fri Mar 9 13:16:46 UTC 2018
On 2018-03-09 12:47, Adrian Bunk wrote:
> Control: retitle -1 cfitsio: vulnerabilities
> Control: found -1 3.370-2
>
> On Fri, Mar 09, 2018 at 09:56:39AM +0100, Ole Streicher wrote:
> > Package: cfitsio
> > Version: 3.420-3
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > a new version of cfitsio just came out, accompanied with the following
> > notice from upstream:
> >
> > The NASA security team requires the following warning to all users of
> > CFITSIO:
> >
> > =====
> > The CFITSIO open source software project contains vulnerabilities
> > that could allow a remote, unauthenticated attacker to take control
> > of a server running the CFITSIO software. These vulnerabilities
> > affect all servers and products running the CFITSIO software.
> >
> > The CFITSIO team has released software updates to address these
> > vulnerabilities. There are no workarounds to address these
> > vulnerabilities. In all cases, the CFITSIO team is recommending an
> > immediate update to resolve the issues.
> > =====
> >
> >
> > I didn't check the specific problem, but it may be important to upgrade.
>
> Even more important are DSAs backporting all required fixes (if any) to
> stable and oldstable.
It's not clear what the security issue is. There is only this announce
from NASA, and it's not track as a CVE. Looking at the diff there are
many sprintf changed into snprintf, but I am not 100% sure it's the
issue or the sole issue.
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien at aurel32.net http://www.aurel32.net
More information about the Debian-astro-maintainers
mailing list