[Debian-astro-maintainers] Bug#892458: Security: please consider upgrade to 3.43(0)

Aurelien Jarno aurelien at aurel32.net
Fri Mar 9 13:16:46 UTC 2018


On 2018-03-09 12:47, Adrian Bunk wrote:
> Control: retitle -1 cfitsio: vulnerabilities
> Control: found -1 3.370-2
> 
> On Fri, Mar 09, 2018 at 09:56:39AM +0100, Ole Streicher wrote:
> > Package: cfitsio
> > Version: 3.420-3
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > 
> > a new version of cfitsio just came out, accompanied with the following
> > notice from upstream:
> > 
> > The NASA security team requires the following warning to all users of
> > CFITSIO:
> > 
> >    =====
> >    The CFITSIO open source software project contains vulnerabilities
> >    that could allow a remote, unauthenticated attacker to take control
> >    of a server running the CFITSIO software.  These vulnerabilities
> >    affect all servers and products running the CFITSIO software.
> > 
> >    The CFITSIO team has released software updates to address these
> >    vulnerabilities.  There are no workarounds to address these
> >    vulnerabilities.  In all cases, the CFITSIO team is recommending an
> >    immediate update to resolve the issues.
> >    =====
> > 
> > 
> > I didn't check the specific problem, but it may be important to upgrade.
> 
> Even more important are DSAs backporting all required fixes (if any) to 
> stable and oldstable.

It's not clear what the security issue is. There is only this announce
from NASA, and it's not track as a CVE. Looking at the diff there are
many sprintf changed into snprintf, but I am not 100% sure it's the
issue or the sole issue.

Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien at aurel32.net                 http://www.aurel32.net



More information about the Debian-astro-maintainers mailing list