-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2741
                    Security update for hdf5, suse-hpc
                                6 June 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           hdf5 and suse-hpc
Publisher:         SUSE
Operating System:  SUSE
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-10811 CVE-2020-10810 CVE-2020-10809
                   CVE-2018-17438 CVE-2018-17437 CVE-2018-17436
                   CVE-2018-17435 CVE-2018-17434 CVE-2018-17433
                   CVE-2018-17432 CVE-2018-17237 CVE-2018-17234
                   CVE-2018-17233 CVE-2018-14460 CVE-2018-14033
                   CVE-2018-14032 CVE-2018-13870 CVE-2018-13869
                   CVE-2018-11207 CVE-2018-11206 CVE-2018-11204
                   CVE-2018-11203 CVE-2018-11202 CVE-2017-17509
                   CVE-2017-17508 CVE-2017-17506 CVE-2017-17505

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2022/suse-su-20221933-1

Comment: CVSS (Max):  8.1 CVE-2020-10809 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
         CVSS Source: SUSE
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for hdf5, suse-hpc

______________________________________________________________________________

Announcement ID:   SUSE-SU-2022:1933-1
Rating:            important
References:        #1058563 #1072087 #1072090 #1072108 #1072111 #1080022
                   #1080259 #1080426 #1080442 #1082209 #1084951 #1088547
                   #1091237 #1093641 #1093649 #1093653 #1093655 #1093657
                   #1101471 #1101474 #1101493 #1101495 #1102175 #1109166
                   #1109167 #1109168 #1109564 #1109565 #1109566 #1109567
                   #1109568 #1109569 #1109570 #1116458 #1124509 #1133222
                   #1134298 #1167401 #1167404 #1167405 #1169793 #1174439
                   #1179521 #1196682
Cross-References:  CVE-2017-17505 CVE-2017-17506 CVE-2017-17508 CVE-2017-17509
                   CVE-2018-11202 CVE-2018-11203 CVE-2018-11204 CVE-2018-11206
                   CVE-2018-11207 CVE-2018-13869 CVE-2018-13870 CVE-2018-14032
                   CVE-2018-14033 CVE-2018-14460 CVE-2018-17233 CVE-2018-17234
                   CVE-2018-17237 CVE-2018-17432 CVE-2018-17433 CVE-2018-17434
                   CVE-2018-17435 CVE-2018-17436 CVE-2018-17437 CVE-2018-17438
                   CVE-2020-10809 CVE-2020-10810 CVE-2020-10811
Affected Products:
                   SUSE Linux Enterprise Module for HPC 12
______________________________________________________________________________

An update that solves 27 vulnerabilities, contains four features and has 17
fixes is now available.

Description:

This update for hdf5, suse-hpc fixes the following issues:
Security issues fixed:

  o CVE-2020-10811: Fixed heap-based buffer over-read in the function
    H5O__layout_decode() located in H5Olayout.c (bsc#1167405).
  o CVE-2020-10810: Fixed NULL pointer dereference in the function
    H5AC_unpin_entry() located in H5AC.c (bsc#1167401).
  o CVE-2020-10809: Fixed heap-based buffer overflow in the function Decompress
    () located in decompress.c (bsc#1167404).
  o CVE-2018-17438: Fixed SIGFPE signal raise in the function H5D__select_io()
    of H5Dselect.c (bsc#1109570).
  o CVE-2018-17437: Fixed memory leak in the H5O_dtype_decode_helper() function
    in H5Odtype.c. (bsc#1109569).
  o CVE-2018-17436: Fixed issue in ReadCode() in decompress.c that allowed
    attackers to cause a denial of service via a crafted HDF5 file (bsc#
    1109568).
  o CVE-2018-17435: Fixed heap-based buffer over-read in H5O_attr_decode() in
    H5Oattr.c (bsc#1109567).
  o CVE-2018-17434: Fixed SIGFPE signal raise in function apply_filters() of
    h5repack_filters.c (bsc#1109566).
  o CVE-2018-17433: Fixed heap-based buffer overflow in ReadGifImageDesc() in
    gifread.c (bsc#1109565).
  o CVE-2018-17432: Fixed NULL pointer dereference in H5O_sdspace_encode() in
    H5Osdspace.c (bsc#1109564).
  o CVE-2018-17237: Fixed SIGFPE signal raise in the function
    H5D__chunk_set_info_real() (bsc#1109168).
  o CVE-2018-17234: Fixed memory leak in the H5O__chunk_deserialize() function
    in H5Ocache.c (bsc#1109167).
  o CVE-2018-17233: Fixed SIGFPE signal is raise in the function
    H5D__create_chunk_file_map_hyper (bsc#1109166).
  o CVE-2018-14460: Fixed heap-based buffer over-read in the function
    H5O_sdspace_decode in H5Osdspace.c (bsc#1102175).
  o CVE-2018-14033: Fixed heap-based buffer over-read in the function
    H5O_layout_decode in H5Olayout.c (bsc#1101471).
  o CVE-2018-14032: Fixed heap-based buffer over-read in the function
    H5O_fill_new_decode in H5Ofill.c (bsc#1101474).
  o CVE-2018-13870: Fixed heap-based buffer over-read in the function
    H5O_link_decode in H5Olink.c (bsc#1101493).
  o CVE-2018-13869: Fixed memcpy parameter overlap in the function
    H5O_link_decode in H5Olink.c (bsc#1101495).
  o CVE-2018-11207: Fixed division by zero was discovered in H5D__chunk_init in
    H5Dchunk.c (bsc#1093653).
  o CVE-2018-11206: Fixed out of bounds read in H5O_fill_new_decode and
    H5O_fill_old_decode in H5Ofill.c (bsc#1093657).
  o CVE-2018-11204: Fixed NULL pointer dereference in H5O__chunk_deserialize in
    H5Ocache.c (bsc#1093655).
  o CVE-2018-11203: Fixed division by zero in H5D__btree_decode_key in
    H5Dbtree.c (bsc#1093649).
  o CVE-2018-11202: Fixed NULL pointer dereference in H5S_hyper_make_spans in
    H5Shyper.c (bsc#1093641).
  o CVE-2017-17509: Fixed out of bounds write vulnerability in function
    H5G__ent_decode_vec (bsc#1072111).
  o CVE-2017-17508: Fixed divide-by-zero vulnerability in function H5T_set_loc
    (bsc#1072108).
  o CVE-2017-17506: Fixed out of bounds read in the function
    H5Opline_pline_decode (bsc#1072090).
  o CVE-2017-17505: Fixed NULL pointer dereference in the function
    H5O_pline_decode (bsc#1072087).


Bugfixes:

  o Expand modules handling (bsc#1116458).
  o Fix default moduleversion link generation and deletion (bsc#1124509).
  o Set higher constraints for succesfull mpich tests (bsc#1133222).
  o Only build one examples package for all flavors, do not include
    dependencies as these would be flavor specific (bsc#1088547).
  o Prepend PKG_CONFIG_PATH in modules file (bsc#1080426).
  o Validate Python 3 code (bsc#1082209).
  o Fix library link flags on pkg-config file for HPC builds (bsc#1134298).
  o Fix .so number in baselibs.conf for libhdf5_fortran libs (bsc#1169793).
  o Fix python-h5py packages built against out-of-date version of HDF5 (bsc#
    1196682).
  o Fix netcdf-cxx4 packages built against out-of-date version of HDF5 (bsc#
    1179521).
  o Make module files package arch dependent: it contains arch-dependent paths
    (bsc#1080442).
  o Disable %check stage for mpich builds on s390(x) (bsc#1080022).
  o Add build support for gcc10 to HPC build (bsc#1174439).
  o Fix summary in module files (bsc#1080259).
  o Append a newline to the shebang line prepended by the
    %hpc_shebang_prepend_list macro (bsc#1084951).
  o Temporarily disable make check for PowerPC (bsc#1058563).
  o Fix HPC library master packages dependency: make it require the correct
    flavor (bsc#1091237).
  o Add HPC support for gcc8 and gcc9 (jsc#SLE-7766 & jsc#SLE-8604).
  o Enable openmpi3 builds for Leap and SLE > 15.1 (jsc#SLE-7773).
  o HDF5 version Update to 1.10.5 (jsc#SLE-8501).
  o Add support for openmpi2 for HPC (FATE#325089).
  o Initial version (FATE#320596).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for HPC 12:
    zypper in -t patch SUSE-SLE-Module-HPC-12-2022-1933=1

Package List:

  o SUSE Linux Enterprise Module for HPC 12 (aarch64 x86_64):
       hdf5_1_10_8-gnu-hpc-1.10.8-3.12.2
       hdf5_1_10_8-gnu-hpc-debuginfo-1.10.8-3.12.2
       hdf5_1_10_8-gnu-hpc-debugsource-1.10.8-3.12.2
       hdf5_1_10_8-gnu-hpc-devel-1.10.8-3.12.2
       hdf5_1_10_8-gnu-hpc-devel-static-1.10.8-3.12.2
       hdf5_1_10_8-gnu-hpc-module-1.10.8-3.12.2
       hdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-3.12.2
       hdf5_1_10_8-gnu-mvapich2-hpc-debuginfo-1.10.8-3.12.2
       hdf5_1_10_8-gnu-mvapich2-hpc-debugsource-1.10.8-3.12.2
       hdf5_1_10_8-gnu-mvapich2-hpc-devel-1.10.8-3.12.2
       hdf5_1_10_8-gnu-mvapich2-hpc-devel-static-1.10.8-3.12.2
       hdf5_1_10_8-gnu-mvapich2-hpc-module-1.10.8-3.12.2
       hdf5_1_10_8-gnu-openmpi1-hpc-1.10.8-3.12.2
       hdf5_1_10_8-gnu-openmpi1-hpc-debuginfo-1.10.8-3.12.2
       hdf5_1_10_8-gnu-openmpi1-hpc-debugsource-1.10.8-3.12.2
       hdf5_1_10_8-gnu-openmpi1-hpc-devel-1.10.8-3.12.2
       hdf5_1_10_8-gnu-openmpi1-hpc-devel-static-1.10.8-3.12.2
       hdf5_1_10_8-gnu-openmpi1-hpc-module-1.10.8-3.12.2
       libhdf5-gnu-hpc-1.10.8-3.12.2
       libhdf5-gnu-mvapich2-hpc-1.10.8-3.12.2
       libhdf5-gnu-openmpi1-hpc-1.10.8-3.12.2
       libhdf5_1_10_8-gnu-hpc-1.10.8-3.12.2
       libhdf5_1_10_8-gnu-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_1_10_8-gnu-mvapich2-hpc-1.10.8-3.12.2
       libhdf5_1_10_8-gnu-mvapich2-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_1_10_8-gnu-openmpi1-hpc-1.10.8-3.12.2
       libhdf5_1_10_8-gnu-openmpi1-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_cpp-gnu-hpc-1.10.8-3.12.2
       libhdf5_cpp_1_10_8-gnu-hpc-1.10.8-3.12.2
       libhdf5_cpp_1_10_8-gnu-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_fortran-gnu-hpc-1.10.8-3.12.2
       libhdf5_fortran-gnu-mvapich2-hpc-1.10.8-3.12.2
       libhdf5_fortran-gnu-openmpi1-hpc-1.10.8-3.12.2
       libhdf5_fortran_1_10_8-gnu-hpc-1.10.8-3.12.2
       libhdf5_fortran_1_10_8-gnu-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_fortran_1_10_8-gnu-mvapich2-hpc-1.10.8-3.12.2
       libhdf5_fortran_1_10_8-gnu-mvapich2-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_fortran_1_10_8-gnu-openmpi1-hpc-1.10.8-3.12.2
       libhdf5_fortran_1_10_8-gnu-openmpi1-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_hl-gnu-hpc-1.10.8-3.12.2
       libhdf5_hl-gnu-mvapich2-hpc-1.10.8-3.12.2
       libhdf5_hl-gnu-openmpi1-hpc-1.10.8-3.12.2
       libhdf5_hl_1_10_8-gnu-hpc-1.10.8-3.12.2
       libhdf5_hl_1_10_8-gnu-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_hl_1_10_8-gnu-mvapich2-hpc-1.10.8-3.12.2
       libhdf5_hl_1_10_8-gnu-mvapich2-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_hl_1_10_8-gnu-openmpi1-hpc-1.10.8-3.12.2
       libhdf5_hl_1_10_8-gnu-openmpi1-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_hl_cpp-gnu-hpc-1.10.8-3.12.2
       libhdf5_hl_cpp_1_10_8-gnu-hpc-1.10.8-3.12.2
       libhdf5_hl_cpp_1_10_8-gnu-hpc-debuginfo-1.10.8-3.12.2
       libhdf5_hl_fortran-gnu-hpc-1.10.8-3.12.2
       libhdf5_hl_fortran-gnu-mvapich2-hpc-1.10.8-3.12.2
       libhdf5_hl_fortran-gnu-openmpi1-hpc-1.10.8-3.12.2
       libhdf5hl_fortran_1_10_8-gnu-hpc-1.10.8-3.12.2
       libhdf5hl_fortran_1_10_8-gnu-hpc-debuginfo-1.10.8-3.12.2
       libhdf5hl_fortran_1_10_8-gnu-mvapich2-hpc-1.10.8-3.12.2
       libhdf5hl_fortran_1_10_8-gnu-mvapich2-hpc-debuginfo-1.10.8-3.12.2
       libhdf5hl_fortran_1_10_8-gnu-openmpi1-hpc-1.10.8-3.12.2
       libhdf5hl_fortran_1_10_8-gnu-openmpi1-hpc-debuginfo-1.10.8-3.12.2
       suse-hpc-0.5.20220206.0c6b168-5.2
  o SUSE Linux Enterprise Module for HPC 12 (noarch):
       hdf5-gnu-hpc-devel-1.10.8-3.12.2
       hdf5-gnu-mvapich2-hpc-devel-1.10.8-3.12.2
       hdf5-gnu-openmpi1-hpc-devel-1.10.8-3.12.2


References:

  o https://www.suse.com/security/cve/CVE-2017-17505.html
  o https://www.suse.com/security/cve/CVE-2017-17506.html
  o https://www.suse.com/security/cve/CVE-2017-17508.html
  o https://www.suse.com/security/cve/CVE-2017-17509.html
  o https://www.suse.com/security/cve/CVE-2018-11202.html
  o https://www.suse.com/security/cve/CVE-2018-11203.html
  o https://www.suse.com/security/cve/CVE-2018-11204.html
  o https://www.suse.com/security/cve/CVE-2018-11206.html
  o https://www.suse.com/security/cve/CVE-2018-11207.html
  o https://www.suse.com/security/cve/CVE-2018-13869.html
  o https://www.suse.com/security/cve/CVE-2018-13870.html
  o https://www.suse.com/security/cve/CVE-2018-14032.html
  o https://www.suse.com/security/cve/CVE-2018-14033.html
  o https://www.suse.com/security/cve/CVE-2018-14460.html
  o https://www.suse.com/security/cve/CVE-2018-17233.html
  o https://www.suse.com/security/cve/CVE-2018-17234.html
  o https://www.suse.com/security/cve/CVE-2018-17237.html
  o https://www.suse.com/security/cve/CVE-2018-17432.html
  o https://www.suse.com/security/cve/CVE-2018-17433.html
  o https://www.suse.com/security/cve/CVE-2018-17434.html
  o https://www.suse.com/security/cve/CVE-2018-17435.html
  o https://www.suse.com/security/cve/CVE-2018-17436.html
  o https://www.suse.com/security/cve/CVE-2018-17437.html
  o https://www.suse.com/security/cve/CVE-2018-17438.html
  o https://www.suse.com/security/cve/CVE-2020-10809.html
  o https://www.suse.com/security/cve/CVE-2020-10810.html
  o https://www.suse.com/security/cve/CVE-2020-10811.html
  o https://bugzilla.suse.com/1058563
  o https://bugzilla.suse.com/1072087
  o https://bugzilla.suse.com/1072090
  o https://bugzilla.suse.com/1072108
  o https://bugzilla.suse.com/1072111
  o https://bugzilla.suse.com/1080022
  o https://bugzilla.suse.com/1080259
  o https://bugzilla.suse.com/1080426
  o https://bugzilla.suse.com/1080442
  o https://bugzilla.suse.com/1082209
  o https://bugzilla.suse.com/1084951
  o https://bugzilla.suse.com/1088547
  o https://bugzilla.suse.com/1091237
  o https://bugzilla.suse.com/1093641
  o https://bugzilla.suse.com/1093649
  o https://bugzilla.suse.com/1093653
  o https://bugzilla.suse.com/1093655
  o https://bugzilla.suse.com/1093657
  o https://bugzilla.suse.com/1101471
  o https://bugzilla.suse.com/1101474
  o https://bugzilla.suse.com/1101493
  o https://bugzilla.suse.com/1101495
  o https://bugzilla.suse.com/1102175
  o https://bugzilla.suse.com/1109166
  o https://bugzilla.suse.com/1109167
  o https://bugzilla.suse.com/1109168
  o https://bugzilla.suse.com/1109564
  o https://bugzilla.suse.com/1109565
  o https://bugzilla.suse.com/1109566
  o https://bugzilla.suse.com/1109567
  o https://bugzilla.suse.com/1109568
  o https://bugzilla.suse.com/1109569
  o https://bugzilla.suse.com/1109570
  o https://bugzilla.suse.com/1116458
  o https://bugzilla.suse.com/1124509
  o https://bugzilla.suse.com/1133222
  o https://bugzilla.suse.com/1134298
  o https://bugzilla.suse.com/1167401
  o https://bugzilla.suse.com/1167404
  o https://bugzilla.suse.com/1167405
  o https://bugzilla.suse.com/1169793
  o https://bugzilla.suse.com/1174439
  o https://bugzilla.suse.com/1179521
  o https://bugzilla.suse.com/1196682

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYp0q5MkNZI30y1K9AQg6xBAAqJdUjPKP2DW4CT8/ILTFCNs1J172CvZK
OZ0hL8nUwYAdDUp/MK8DDhpRP1CNR2vUP5NlyM4DDT8VtZsmjoWjjVwfnCDA0Aqh
dDEHwcIAHpyUmZ2+YyzftSJ+cey07Jsw9IT6Wbj0ASNnBs9696F8wgYC3cSCa3RY
vSJndE7Edxm04Kd8oHMzK//rIBWIhWdx3IUvcu09BaRqrH5haM0PXelNt6C8JHP5
ok2Zb9iRJ1gH7UAabDfF7vqtT9VxTZXK4OEbr2yFe/epUVF/KyGvg994PaFzcq7r
4nrXbhG6mMFmBmCW/10ZCe4x5cxiGQ70gfAl1uoER4/pib2n6iAaDtSWTOtNK1Vr
FH2rJpQAV4EliZ5ihGDMlrGul7eHTJztIYtcE5DVarho7UUA5B1f/63kPthrW0E5
zNF3Kf3nQzhipKnOAaxXj6Y+UEdJTTovTfv0j00ATnxdxnOwIh56F7Z0tsNv2cqH
hY+yCH3sB7y6FjYmvkFyglvHlDT9P9Q/fzyZsvF/aq94T5d+26NmVsdS7+DOzevd
tpmbW/vhTmxvGhS+4V9ZCkbgrEvz8sFLU5CI5Vz57SENuI3P272aIqvfzDQ+edQR
L1xUyXBkvwooDdU5NcQ5BEda8goe5g4g3E7ss+5jd6BiCWah0fUDYX05yQX5o8U2
Zpf6XHoqZ54=
=d+Vf
-----END PGP SIGNATURE-----