For the future it would be really appreciated if the CVE numbers were included in the release notes for the version they were fixed in. I was notified of the CVEs by my organization, but couldn't determine if they were fixed in the latest release until I found this mailing list post.
I'd very much understand if the goal was to keep things under wraps during the rc process and to not have a mention of the CVEs in the rc release notes, but hopefully they could be manually entered when going from the last RC to the release? As an outsider to the community, was there a way I could have viewed the HDF5 bugs? I wasn't able to find anything browsing around the website. Just some thoughts from an outsider, thanks for your consideration. Tom Kent > Hi Tobias, > > The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 > release that you can obtain here: > > https://support.hdfgroup.org/HDF5/release/obtain518.html > For the issues fixed, please see the RELEASE.txt file: > > https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1. > 8.18-RELEASE.txt > Unfortunately, we failed to indicate the corresponding TALOS reports. Here > they are: > > CVE-2016-4330: HDF5 bug HDFFV-9992 (TALOS-2016-176) > CVE-2016-4331: HDF5 bug HDFFV-9951 (TALOS-2016-177) > CVE-2016-4332: HDF5 bug HDFFV-9950 (TALOS-2016-178) > CVE-2016-4333: HDF5 bug HDFFV-9993 (TALOS-2016-179)) > > The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 > release coming in January 2017. > > -Barbara > > > -----Original Message----- > From: Hdf-forum [mailto:[hidden email] > <http://hdf-forum.184993.n3.nabble.com/user/SendEmail.jtp?type=node&node=4029392&i=0>] > On Behalf Of Tobias Richter > Sent: Thursday, December 01, 2016 2:48 AM > To: HDF Users Discussion List > Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333 > > Hi, > > Apparently a number of security relevant problems have been found in the > HDF5 library and have been publicised a couple of weeks ago: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333 > > I understand there is some risk opening untrusted HDF5 files with an > unfixed library. Some linux distributions have pushed out patched versions > (for example Debian), but I’m not sure there is a source release available > (or a binary build for that matter) from the HDF group. At least I could > not see any announcement in this mailing list or on their web page. > > Best wishes, > Tobias
_______________________________________________ Hdf-forum is for HDF software users discussion. [email protected] http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org Twitter: https://twitter.com/hdf5
