File _patchinfo of Package patchinfo.28369

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.28369

<patchinfo incident="28369">
  <issue tracker="bnc" id="1133222">gnu-mpich-hpc failed</issue>
  <issue tracker="bnc" id="1210049">[trilinos] 'module load gnu openmpi trilinos' fails due to wrong module dependency on 'pnetcdf'</issue>
  <issue tracker="bnc" id="1209548">timestamp/buildhost/kernel data makes build not reproducible</issue>
  <issue tracker="bnc" id="1224158">VUL-0: hdf5: multiple CVEs</issue>
  <issue id="2016-4332" tracker="cve" />
  <issue id="2018-11202" tracker="cve" />
  <issue id="2019-8396" tracker="cve" />
  <issue id="2020-10812" tracker="cve" />
  <issue id="2021-37501" tracker="cve" />
  <issue id="2017-17507" tracker="cve" />
  <issue id="2018-11205" tracker="cve" />
  <issue id="2024-29158" tracker="cve" />
  <issue id="2024-32610" tracker="cve" />
  <issue id="2024-33873" tracker="cve" />
  <issue id="2024-29161" tracker="cve" />
  <issue id="2024-32614" tracker="cve" />
  <issue id="2024-33874" tracker="cve" />
  <issue id="2024-29166" tracker="cve" />
  <issue id="2024-32619" tracker="cve" />
  <issue id="2024-33875" tracker="cve" />
  <issue id="2024-32608" tracker="cve" />
  <issue id="2024-32620" tracker="cve" />
  <issue tracker="bnc" id="1125882">VUL-1: CVE-2019-8396: hdf5: buffer overflow in function H5O__layout_encode in H5Olayout.c</issue>
  <issue tracker="bnc" id="1167400">VUL-1: CVE-2020-10812: hdf5: A NULL pointer dereference exists in the function H5F_get_nrefs() located in H5Fquery.c (in HDF5 through 1.12.0).</issue>
  <issue tracker="bnc" id="1093641">VUL-1: CVE-2018-11202: hdf5: A NULL pointer dereference in H5S_hyper_make_spans in H5Shyper.c allows a remote denial of service attack.</issue>
  <issue tracker="bnc" id="1207973">VUL-0: CVE-2021-37501: hdf5: buffer overflow in hdf5-h5dump 1.10.8 through 1.13.0</issue>
  <issue tracker="bnc" id="1011205">VUL-0: CVE-2016-4332: hdf5: Shareable Message Type Code Execution Vulnerability</issue>
  <packager>eeich</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for hdf5, netcdf, trilinos </summary>
  <description>This update for hdf5, netcdf, trilinos fixes the following issues:

hdf5 was updated from version 1.10.8 to 1.10.11:

- Security issues fixed:

* CVE-2019-8396: Fixed problems with malformed HDF5 files where content does not match expected size. (bsc#1125882)
  * CVE-2018-11202: Fixed that a malformed file could result in chunk index memory leaks. (bsc#1093641)
  * CVE-2016-4332: Fixed an assertion in a previous fix for this issue (bsc#1011205).
  * CVE-2020-10812: Fixed a segfault on file close in h5debug which fails with a core dump on a file that has an illegal
    file size in its cache image.Fixes HDFFV-11052, (bsc#1167400).
  * CVE-2021-37501: Fixed buffer overflow in hdf5-h5dump (bsc#1207973)
  * Other security issues fixed (bsc#1224158):

+  CVE-2024-29158, CVE-2024-29161, CVE-2024-29166, CVE-2024-32608,
    +  CVE-2024-32610, CVE-2024-32614, CVE-2024-32619, CVE-2024-32620,
    +  CVE-2024-33873, CVE-2024-33874, CVE-2024-33875
    +  Additionally, these fixes resolve crashes triggered by the
       reproducers for CVE-2017-17507, CVE-2018-11205. These crashes
       appear to be unrelated to the original problems

- Other issues fixed:

* Remove timestamp/buildhost/kernel version from libhdf5.settings (bsc#1209548)
  * Changed the error handling for a not found path in the find plugin process.
  * Fixed a file space allocation bug in the parallel library for chunked datasets.
  * Fixed an assertion failure in Parallel HDF5 when a file can't be created due to an invalid library version bounds
    setting.
  * Fixed memory leaks that could occur when reading a dataset from a malformed file.
  * Fixed a bug in H5Ocopy that could generate invalid HDF5 files
  * Fixed potential heap buffer overflow in decoding of link info message.
  * Fixed potential buffer overrun issues in some object header decode routines.
  * Fixed a heap buffer overflow that occurs when reading from a dataset with a compact layout within a malformed HDF5
    file.
  * Fixed memory leak when running h5dump with proof of vulnerability file.
  * Added option --no-compact-subset to h5diff
  * Several improvements to parallel compression feature, including:

+ Improved support for collective I/O (for both writes and reads).
    + Reduction of copying of application data buffers passed to H5Dwrite.
    + Addition of support for incremental file space allocation for filtered datasets created in parallel.
    + Addition of support for HDF5's "don't filter partial edge chunks" flag
    + Addition of proper support for HDF5 fill values with the feature.
    + Addition of 'H5_HAVE_PARALLEL_FILTERED_WRITES' macro toH5pubconf.h so HDF5 applications can determine at
      compile-time whether the feature is available.
    + Addition of simple examples

* h5repack added an optional verbose value for reporting R/W timing.
  * Fixed a metadata cache bug when resizing a pinned/protected cache entry.
  * Fixed a problem with the H5_VERS_RELEASE check in the H5check_version function.
  * Unified handling of collective metadata reads to correctly fix old bugs.
  * Fixed several potential MPI deadlocks in library failure conditions.
  * Fixed an issue with collective metadata reads being permanently disabled after a dataset chunk lookup operation.

netcdf was updated to fix:

- rebuild against new hdf5 library version.

trilinos was updated to fix:

- Rebuild against new hdf5 library version.
- Fix dependency in module file for MPI version of Trilinos to depend on the correct version of netcdf (bsc#1210049).
  This prevents the error message:
  "Lmod has detected the following error: These module(s) or
   extension(s) exist but cannot be loaded as requested: "trilinos"
</description>
</patchinfo>

Places

File _patchinfo of Package patchinfo.28369

Places