cfitsio vulnerability (fixed in 3.43)

Bug #1754390 reported by Achim Bohnet on 2018-03-08
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cfitsio (Debian)
Fix Released
Unknown
cfitsio (Ubuntu)
Undecided
Unassigned

Bug Description

I received today the HEASOFT announcement mentioning a bug in CFITSIO
reported by NASA. See 'latest news' section at

https://heasarc.gsfc.nasa.gov/docs/archive.html

... This release also fixes a security vulnerability identified in cfitsio; if you have code running cfitsio on a server we strongly recommend updating as soon as possible.

Changelog

https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/changes2.txt

Achim Bohnet (allee) on 2018-03-08
description: updated
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in cfitsio (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Changed in cfitsio (Debian):
status: Unknown → New
Changed in cfitsio (Debian):
status: New → Fix Released
Achim Bohnet (allee) wrote :

Debian sid contains the fixed cfitsio version, can someone trigger a sync to bionic?

The correspondign debian bug is closed, but nevertheless even after the sync
to bionic there are missing backport (in debian & ubuntu):

  artful
  xenial
  trusty

Changed in cfitsio (Ubuntu):
status: Incomplete → Confirmed
Seth Arnold (seth-arnold) wrote :

Thanks Achim, the sync has been requested; it's after feature freeze date, so the release team may decide to hold it up, but the upstream changelog looked encouragingly like bugfixes-only to me: https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/changes2.txt

Thanks

M. Arida (marida) wrote :

I would strongly recommend updating to CFITSIO 3.44 which patched a several more issues. Though 3.45 which should be released in the next two weeks will also contain an annoying bug fix.

https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/changes.txt

                   Log of Changes Made to CFITSIO

Version 3.44 - April 2018

  - This release primarily patches security vulnerabilities. We
    strongly encourage this upgrade, particularly for those running
    CFITSIO in web accessible applications.
.
.
.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.