[Git][security-tracker-team/security-tracker][master] Triaging hdf5 -- fixed versions and upstream references.
Tobias Frost (@tobi)
tobi at debian.org
Sat May 6 15:19:06 BST 2023
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d5a88857 by Tobias Frost at 2023-05-06T16:18:46+02:00
Triaging hdf5 -- fixed versions and upstream references.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -135266,6 +135266,7 @@ CVE-2021-37502 (Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows
CVE-2021-37501 (Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1 ...)
- hdf5 <unfixed> (unimportant)
NOTE: Crash in CLI tool, no security impact
+ NOTE: Fixed in 1.10.x-series in 1.10.10 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-10-newsletter-192/11006
CVE-2021-37500 (Directory traversal vulnerability in Reprise License Manager (RLM) web ...)
NOT-FOR-US: Reprise License Manager
CVE-2021-37499 (CRLF vulnerability in Reprise License Manager (RLM) web interface thro ...)
@@ -233921,20 +233922,24 @@ CVE-2020-10812 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer d
NOTE: https://research.loginsoft.com/bugs/null-pointer-dereference-in-h5fquery-c-hdf5-1-13-0/
NOTE: Negligible security impact, malicous scientific data has more issues than a crash...
CVE-2020-10811 (An issue was discovered in HDF5 through 1.12.0. A heap-based buffer ov ...)
- - hdf5 <unfixed> (unimportant)
+ - hdf5 1.10.8+repack1-1 (unimportant)
NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_2
NOTE: https://research.loginsoft.com/bugs/heap-buffer-overflow-in-h5olayout-c-hdf5-1-13-0/
NOTE: Negligible security impact, malicous scientific data has more issues than a crash...
+ NOTE: Fixed in 1.10.x-series in 1.10.8 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-8-newsletter-180/9108
+ NOTE: Duplicate of CVE-2018-14033
CVE-2020-10810 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer derefer ...)
- - hdf5 <unfixed> (unimportant)
+ - hdf5 1.10.8+repack1-1 (unimportant)
NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_3
NOTE: https://research.loginsoft.com/bugs/null-pointer-dereference-in-h5ac-c-hdf5-1-13-0/
NOTE: Negligible security impact, malicous scientific data has more issues than a crash...
+ NOTE: Fixed in 1.10.x-series in 1.10.8 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-8-newsletter-180/9108
CVE-2020-10809 (An issue was discovered in HDF5 through 1.12.0. A heap-based buffer ov ...)
- hdf5 <unfixed> (unimportant)
NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_1
NOTE: https://research.loginsoft.com/bugs/heap-overflow-in-decompress-c-hdf5-1-13-0/
NOTE: Negligible security impact, malicous scientific data has more issues than a crash...
+ NOTE: Fixed in 1.10.x-series in 1.10.10 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-10-newsletter-192/11006
CVE-2020-10808 (Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injectio ...)
NOT-FOR-US: Vesta Control Panel
CVE-2020-10807 (auth_svc in Caldera before 2.6.5 allows authentication bypass (for RES ...)
@@ -324511,11 +324516,13 @@ CVE-2018-17436 (ReadCode() in decompress.c in the HDF HDF5 through 1.10.3 librar
- hdf5 <unfixed> (unimportant)
NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln8#invalid-write-memory-access-in-decompressc
NOTE: Negligible security impact
+ NOTE: Fixed in 1.10.x-series in 1.10.10 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-10-newsletter-192/11006
CVE-2018-17435 (A heap-based buffer over-read in H5O_attr_decode() in H5Oattr.c in the ...)
- - hdf5 <unfixed> (unimportant)
+ - hdf5 1.10.8+repack1-1 (unimportant)
NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln7#heap-overflow-in-h5o_attr_decode
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10591
NOTE: Negligible security impact
+ NOTE: Fixed for 1.10.x in 1.10.7: https://forum.hdfgroup.org/t/release-of-hdf5-1-10-7-newsletter-175-the-hdf-group/7511
CVE-2018-17434 (A SIGFPE signal is raised in the function apply_filters() of h5repack_ ...)
- hdf5 1.10.6+repack-2 (low)
[buster] - hdf5 <no-dsa> (Minor issue)
@@ -324530,8 +324537,9 @@ CVE-2018-17433 (A heap-based buffer overflow in ReadGifImageDesc() in gifread.c
NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln8#heap-overflow-in-readgifimagedesc
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10592
NOTE: Negligible security impact
+ NOTE: Fixed in 1.10.x-series in 1.10.10 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-10-newsletter-192/11006
CVE-2018-17432 (A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in ...)
- - hdf5 <unfixed> (unimportant)
+ - hdf5 1.10.8+repack1-1 (unimportant)
[buster] - hdf5 <no-dsa> (Minor issue)
[stretch] - hdf5 <no-dsa> (Minor issue)
[jessie] - hdf5 <ignored> (Minor issue)
@@ -324539,6 +324547,7 @@ CVE-2018-17432 (A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace
NOTE: upstream bug tracker (not public): https://jira.hdfgroup.org/browse/HDFFV-10590
NOTE: fix planned for HDF5-1.10.6 (will also be backported to HDF5-1.8)
NOTE: Negligible security impact, malicous scientific data has more issues than a crash
+ NOTE: Fixed for 1.10.x in 1.10.8 https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.8/src/hdf5-1.10.8-RELEASE.txt
CVE-2018-17431 (Web Console in Comodo UTM Firewall before 2.7.0 allows remote attacker ...)
NOT-FOR-US: Comodo UTM
CVE-2018-17430
@@ -332463,9 +332472,10 @@ CVE-2018-14461 (The LDP parser in tcpdump before 4.9.3 has a buffer over-read in
- tcpdump 4.9.3-1 (bug #941698)
NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/aa5c6b710dfd8020d2c908d6b3bd41f1da719b3b
CVE-2018-14460 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...)
- - hdf5 <unfixed> (unimportant)
+ - hdf5 1.10.8+repack1-1 (unimportant)
NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README3.md
NOTE: Negligible security impact
+ NOTE: Fixed in 1.10.x-series in 1.10.8 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-8-newsletter-180/9108
CVE-2018-14459 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...)
- libgig <unfixed> (unimportant; bug #931309)
NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md
@@ -333650,9 +333660,10 @@ CVE-2018-14034 (An issue was discovered in the HDF HDF5 1.8.20 library. There is
NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README2.md
NOTE: Negligible security impact
CVE-2018-14033 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...)
- - hdf5 <unfixed> (unimportant)
+ - hdf5 1.10.8+repack1-1 (unimportant)
NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README2.md
NOTE: Negligible security impact
+ NOTE: Fixed in 1.10.x-series in 1.10.8 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-8-newsletter-180/9108
CVE-2018-14032
REJECTED
CVE-2018-14031 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...)
@@ -334018,11 +334029,15 @@ CVE-2018-13871 (An issue was discovered in the HDF HDF5 1.8.20 library. There is
NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5
NOTE: Negligible HDF crash, never properly reported upstrem
CVE-2018-13870 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...)
+ - hdf5 1.10.8+repack1-1 (unimportant)
NOTE: Negligible HDF crash, never properly reported upstrem
NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5
+ NOTE: Fixed for 1.10.x in 1.10.7: https://forum.hdfgroup.org/t/release-of-hdf5-1-10-7-newsletter-175-the-hdf-group/7511
CVE-2018-13869 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a mem ...)
+ - hdf5 1.10.8+repack1-1 (unimportant)
NOTE: Negligible HDF crash, never properly reported upstrem
NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5
+ NOTE: Fixed for 1.10.x in 1.10.7: https://forum.hdfgroup.org/t/release-of-hdf5-1-10-7-newsletter-175-the-hdf-group/7511
CVE-2018-13868 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...)
NOTE: Negligible HDF crash, never properly reported upstrem
NOTE: https://github.com/TeamSeri0us/pocs/tree/master/hdf5
@@ -341271,12 +341286,15 @@ CVE-2018-11207 (A division by zero was discovered in H5D__chunk_init in H5Dchunk
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10481
NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/d0362ce438aef8ad690d5b084d929403c9877107
CVE-2018-11206 (An out of bounds read was discovered in H5O_fill_new_decode and H5O_fi ...)
- - hdf5 1.10.4+repack-1 (low)
+ - hdf5 1.10.8+repack1-1 (low)
[stretch] - hdf5 <no-dsa> (Minor issue)
[jessie] - hdf5 <no-dsa> (Minor issue)
[wheezy] - hdf5 <no-dsa> (Minor issue)
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10480
NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/992a199f90fec31e0ad72ed76ed279a3ccea59e4
+ NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README3.md
+ NOTE: Negligible security impact
+ NOTE: Fixed in 1.10.x-series in 1.10.8 https://forum.hdfgroup.org/t/release-of-hdf5-1-10-8-newsletter-180/9108
CVE-2018-11205 (A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the ...)
- hdf5 <unfixed> (bug #1034807)
[bookworm] - hdf5 <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a8885772385a2a2829e26aad8e90e68853b9fb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5a8885772385a2a2829e26aad8e90e68853b9fb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230506/1e87812e/attachment.htm>
More information about the debian-security-tracker-commits
mailing list