File _patchinfo of Package patchinfo.28369
<patchinfo incident="28369">
<issue tracker="bnc" id="1133222">gnu-mpich-hpc failed</issue>
<issue tracker="bnc" id="1210049">[trilinos] 'module load gnu openmpi trilinos' fails due to wrong module dependency on 'pnetcdf'</issue>
<issue tracker="bnc" id="1209548">timestamp/buildhost/kernel data makes build not reproducible</issue>
<issue tracker="bnc" id="1224158">VUL-0: hdf5: multiple CVEs</issue>
<issue id="2016-4332" tracker="cve" />
<issue id="2018-11202" tracker="cve" />
<issue id="2019-8396" tracker="cve" />
<issue id="2020-10812" tracker="cve" />
<issue id="2021-37501" tracker="cve" />
<issue id="2017-17507" tracker="cve" />
<issue id="2018-11205" tracker="cve" />
<issue id="2024-29158" tracker="cve" />
<issue id="2024-32610" tracker="cve" />
<issue id="2024-33873" tracker="cve" />
<issue id="2024-29161" tracker="cve" />
<issue id="2024-32614" tracker="cve" />
<issue id="2024-33874" tracker="cve" />
<issue id="2024-29166" tracker="cve" />
<issue id="2024-32619" tracker="cve" />
<issue id="2024-33875" tracker="cve" />
<issue id="2024-32608" tracker="cve" />
<issue id="2024-32620" tracker="cve" />
<issue tracker="bnc" id="1125882">VUL-1: CVE-2019-8396: hdf5: buffer overflow in function H5O__layout_encode in H5Olayout.c</issue>
<issue tracker="bnc" id="1167400">VUL-1: CVE-2020-10812: hdf5: A NULL pointer dereference exists in the function H5F_get_nrefs() located in H5Fquery.c (in HDF5 through 1.12.0).</issue>
<issue tracker="bnc" id="1093641">VUL-1: CVE-2018-11202: hdf5: A NULL pointer dereference in H5S_hyper_make_spans in H5Shyper.c allows a remote denial of service attack.</issue>
<issue tracker="bnc" id="1207973">VUL-0: CVE-2021-37501: hdf5: buffer overflow in hdf5-h5dump 1.10.8 through 1.13.0</issue>
<issue tracker="bnc" id="1011205">VUL-0: CVE-2016-4332: hdf5: Shareable Message Type Code Execution Vulnerability</issue>
<packager>eeich</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for hdf5, netcdf, trilinos </summary>
<description>This update for hdf5, netcdf, trilinos fixes the following issues:
hdf5 was updated from version 1.10.8 to 1.10.11:
- Security issues fixed:
* CVE-2019-8396: Fixed problems with malformed HDF5 files where content does not match expected size. (bsc#1125882)
* CVE-2018-11202: Fixed that a malformed file could result in chunk index memory leaks. (bsc#1093641)
* CVE-2016-4332: Fixed an assertion in a previous fix for this issue (bsc#1011205).
* CVE-2020-10812: Fixed a segfault on file close in h5debug which fails with a core dump on a file that has an illegal
file size in its cache image.Fixes HDFFV-11052, (bsc#1167400).
* CVE-2021-37501: Fixed buffer overflow in hdf5-h5dump (bsc#1207973)
* Other security issues fixed (bsc#1224158):
+ CVE-2024-29158, CVE-2024-29161, CVE-2024-29166, CVE-2024-32608,
+ CVE-2024-32610, CVE-2024-32614, CVE-2024-32619, CVE-2024-32620,
+ CVE-2024-33873, CVE-2024-33874, CVE-2024-33875
+ Additionally, these fixes resolve crashes triggered by the
reproducers for CVE-2017-17507, CVE-2018-11205. These crashes
appear to be unrelated to the original problems
- Other issues fixed:
* Remove timestamp/buildhost/kernel version from libhdf5.settings (bsc#1209548)
* Changed the error handling for a not found path in the find plugin process.
* Fixed a file space allocation bug in the parallel library for chunked datasets.
* Fixed an assertion failure in Parallel HDF5 when a file can't be created due to an invalid library version bounds
setting.
* Fixed memory leaks that could occur when reading a dataset from a malformed file.
* Fixed a bug in H5Ocopy that could generate invalid HDF5 files
* Fixed potential heap buffer overflow in decoding of link info message.
* Fixed potential buffer overrun issues in some object header decode routines.
* Fixed a heap buffer overflow that occurs when reading from a dataset with a compact layout within a malformed HDF5
file.
* Fixed memory leak when running h5dump with proof of vulnerability file.
* Added option --no-compact-subset to h5diff
* Several improvements to parallel compression feature, including:
+ Improved support for collective I/O (for both writes and reads).
+ Reduction of copying of application data buffers passed to H5Dwrite.
+ Addition of support for incremental file space allocation for filtered datasets created in parallel.
+ Addition of support for HDF5's "don't filter partial edge chunks" flag
+ Addition of proper support for HDF5 fill values with the feature.
+ Addition of 'H5_HAVE_PARALLEL_FILTERED_WRITES' macro toH5pubconf.h so HDF5 applications can determine at
compile-time whether the feature is available.
+ Addition of simple examples
* h5repack added an optional verbose value for reporting R/W timing.
* Fixed a metadata cache bug when resizing a pinned/protected cache entry.
* Fixed a problem with the H5_VERS_RELEASE check in the H5check_version function.
* Unified handling of collective metadata reads to correctly fix old bugs.
* Fixed several potential MPI deadlocks in library failure conditions.
* Fixed an issue with collective metadata reads being permanently disabled after a dataset chunk lookup operation.
netcdf was updated to fix:
- rebuild against new hdf5 library version.
trilinos was updated to fix:
- Rebuild against new hdf5 library version.
- Fix dependency in module file for MPI version of Trilinos to depend on the correct version of netcdf (bsc#1210049).
This prevents the error message:
"Lmod has detected the following error: These module(s) or
extension(s) exist but cannot be loaded as requested: "trilinos"
</description>
</patchinfo>
