Hi Ann, Yes, we think the vulnerabilities do exist in earlier releases.
-Barbara [email protected] -----Original Message----- From: Hdf-forum [mailto:[email protected]] On Behalf Of Ann M Al-jazrawi Sent: Thursday, December 01, 2016 10:03 AM To: [email protected] Subject: Re: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333 Hi, Do these vulnerabilities also exist in previous versions of HDF5 1.8.n? Thanks! Ann Al-Jazrawi On 12/01/2016 09:17 AM, Barbara Jones wrote: > Hi Tobias, > > The vulnerabilities you mentioned were addressed in the HDF5 1.8.18 release > that you can obtain here: > > https://support.hdfgroup.org/HDF5/release/obtain518.html > > For the issues fixed, please see the RELEASE.txt file: > > > https://support.hdfgroup.org/ftp/HDF5/current18/src/hdf5-1.8.18-RELEASE.txt > > Unfortunately, we failed to indicate the corresponding TALOS reports. Here > they are: > > CVE-2016-4330: HDF5 bug HDFFV-9992 (TALOS-2016-176) > CVE-2016-4331: HDF5 bug HDFFV-9951 (TALOS-2016-177) > CVE-2016-4332: HDF5 bug HDFFV-9950 (TALOS-2016-178) > CVE-2016-4333: HDF5 bug HDFFV-9993 (TALOS-2016-179)) > > The fixes are not in HDF5-1.10.0-patch1, but will be in the HDF5 1.10.1 > release coming in January 2017. > > -Barbara > > > -----Original Message----- > From: Hdf-forum [mailto:[email protected]] On Behalf Of > Tobias Richter > Sent: Thursday, December 01, 2016 2:48 AM > To: HDF Users Discussion List > Subject: [Hdf-forum] CVE-2016-4330 to CVE-2016-4333 > > Hi, > > Apparently a number of security relevant problems have been found in the > HDF5 library and have been publicised a couple of weeks ago: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4330 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4331 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4332 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4333 > > > I understand there is some risk opening untrusted HDF5 files with an unfixed > library. Some linux distributions have pushed out patched versions (for > example Debian), but I’m not sure there is a source release available (or a > binary build for that matter) from the HDF group. At least I could not see > any announcement in this mailing list or on their web page. > > Best wishes, > Tobias > > > _______________________________________________ > Hdf-forum is for HDF software users discussion. > [email protected] > http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org > Twitter: https://twitter.com/hdf5 > _______________________________________________ > Hdf-forum is for HDF software users discussion. > [email protected] > http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org > Twitter: https://twitter.com/hdf5 _______________________________________________ Hdf-forum is for HDF software users discussion. [email protected] http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org Twitter: https://twitter.com/hdf5 _______________________________________________ Hdf-forum is for HDF software users discussion. [email protected] http://lists.hdfgroup.org/mailman/listinfo/hdf-forum_lists.hdfgroup.org Twitter: https://twitter.com/hdf5
