Bug 214938

Summary: science/hdf5-18 - multiple vulnerabilites & missing vuxml entry
Product: Ports & Packages Reporter: Sevan Janiyan <venture37>
Component: Individual Port(s)Assignee: Thierry Thomas <thierry>
Status: Closed FIXED    
Severity: Affects Some People CC: feld, ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: thierry: maintainer-feedback+
Hardware: Any   
OS: Any   

Description Sevan Janiyan 2016-11-30 00:32:51 UTC 
http://blog.talosintel.com/2016/11/hdf5-vulns.html
Comment 1 Thierry Thomas freebsd_committer freebsd_triage 2016-11-30 08:24:25 UTC 
It seems that the reported vulnerabilities were discovered in HDF5-1.8.16, and have been fixed in HDF5-1.8.17.

The port science/hdf5-18 was removed from the tree between the versions HDF5-1.8.10 (03 May 2014) and HDF5-1.8.17 (13 Nov 2016), and I'm not sure if HDF5-1.8.10 is concerned; could you please comment?

Note: HDF5-1.8.18 is released, and I'm about to upgrade this port.
Comment 2 Mark Felder freebsd_committer freebsd_triage 2016-12-06 16:34:16 UTC 
I received info from Talos that the vulnerabilities are fixed as of 1.8.18pre1 and they will be updating their blog post to state that as well.
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-01-09 16:50:43 UTC 
A commit references this bug:

Author: feld
Date: Mon Jan  9 16:49:45 UTC 2017
New revision: 430979
URL: https://svnweb.freebsd.org/changeset/ports/430979

Log:
  Document hdf5 CVEs

  PR:		214938
  Security:	CVE-2016-4330
  SecuritY:	CVE-2016-4331
  Security:	CVE-2016-4332
  Security:	CVE-2016-4333

Changes:
  head/security/vuxml/vuln.xml