Bug 29241

Summary: netcdf new security issues CVE-2019-2000[5-7] CVE-2019-2019[89] CVE-2019-2020[0-2] CVE-2021-2622[0-2] CVE-2021-30485 CVE-2021-31229 CVE-2021-3134[78] CVE-2021-31598
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, nicolas.salguero, pterjan, rverschelde, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: netcdf-4.7.4-3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-07-09 17:56:50 CEST 
Debian-LTS has issued an advisory on July 8:
https://www.debian.org/lts/security/2021/dla-2705

The issues are actually from a bundled library called ezXML which is also in netcdf, and there are more CVEs listed in this bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360

Mageia 8 is also affected.
David Walser 2021-07-09 17:57:00 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-07-09 21:17:37 CEST 
This has no registered nor consistent maintainer, so assigning globally.
CC'ing pterjan & akien who have both done several recent updates to it.

Assignee: bugsquad => pkg-bugs
CC: (none) => pterjan, rverschelde

Comment 2 David Walser 2021-11-26 18:21:04 CET 
openSUSE has issued an advisory for this on November 25:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DM4S3HXSBD3QQY6J6J2S4KVWTO63OS7U/
Comment 3 Nicolas Salguero 2021-12-06 11:54:25 CET 
For Mageia8, netcdf-4.7.4-3.1.mga8, which includes the patches from openSUSE, should solve the problem.

For Cauldron, netcdf fails to build because of some tests.

CC: (none) => nicolas.salguero

Comment 4 David Walser 2021-12-06 16:05:32 CET 
Looks like "nc_test" is the failure.

Mageia 8 packages:
libnetcdf18-4.7.4-3.1.mga8
libnetcdf-devel-4.7.4-3.1.mga8
netcdf-4.7.4-3.1.mga8

Status comment: (none) => Test suite failure in Cauldron

Comment 5 Nicolas Lécureuil 2021-12-18 15:37:41 CET 
latest netcdf is on cauldron.

Assignee: pkg-bugs => qa-bugs
Status comment: Test suite failure in Cauldron => (none)
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 6 Herman Viaene 2021-12-20 14:44:01 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
No wiki, no previous updates, reading desription of netcdf in MCC:
"NetCDF (network Common Data Form) is an interface for array-oriented data access and a freely-distributed collection of software libraries for C, Fortran, C++, and perl that provides an implementation of the interface."
OK'ing this on clean install as we do for other evveloper's stuff.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2021-12-20 18:45:28 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-12-23 19:48:32 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2021-12-23 22:02:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0580.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED