netcdf - Debian Package Tracker

general

source: netcdf (main)
version: 1:4.9.3-1
maintainer: Debian GIS Project (archive) (DMD)
uploaders: Bas Couwenberg [DMD] – Nico Schlömer [DMD] – Francesco Paolo Lovergine [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:4.7.4-1
oldstable: 1:4.9.0-3
stable: 1:4.9.3-1
testing: 1:4.9.3-1
unstable: 1:4.9.3-1

versioned links

1:4.7.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.9.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.9.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.10.0-1~exp1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnetcdf-dev
libnetcdf22
netcdf-bin
netcdf-doc

action needed

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2025-14932: NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273.
CVE-2025-14933: NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934: NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267.
CVE-2025-14935: NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.
CVE-2025-14936: NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269.

Created: 2025-12-25 Last update: 2026-01-30 17:52

5 security issues in forky high

There are 5 open security issues in forky.

5 important issues:

CVE-2025-14932: NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273.
CVE-2025-14933: NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934: NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267.
CVE-2025-14935: NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.
CVE-2025-14936: NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269.

Created: 2025-12-25 Last update: 2026-01-30 17:52

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 144f037321028f621daf3b7bb80508527119e439
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Thu Feb 26 06:54:18 2026 +0100

    Don't use test-build-validate-cleanup, fails where pbuilder --twice succeeds.

Created: 2025-03-20 Last update: 2026-02-26 09:03

5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:

CVE-2025-14932: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273.
CVE-2025-14933: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267.
CVE-2025-14935: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.
CVE-2025-14936: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-12-25 Last update: 2026-01-30 17:52

5 low-priority security issues in bookworm low

There are 5 open security issues in bookworm.

5 issues left for the package maintainer to handle:

CVE-2025-14932: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273.
CVE-2025-14933: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267.
CVE-2025-14935: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.
CVE-2025-14936: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-12-25 Last update: 2026-01-30 17:52

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-12-23 20:00

news

[rss feed]

[2026-02-26] Accepted netcdf 1:4.10.0-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-02-16] netcdf 1:4.9.3-1 MIGRATED to testing (Debian testing watch)
[2025-02-14] Accepted netcdf 1:4.9.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-02-11] Accepted netcdf 1:4.9.3-1~exp2 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-02-08] Accepted netcdf 1:4.9.3-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-12-07] Accepted netcdf 1:4.9.3~rc2-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-08-15] netcdf 1:4.9.2-7 MIGRATED to testing (Debian testing watch)
[2024-08-12] Accepted netcdf 1:4.9.2-7 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-07-27] Accepted netcdf 1:4.9.3~rc1-1~exp1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2024-05-13] netcdf 1:4.9.2-6 MIGRATED to testing (Debian testing watch)
[2024-05-11] Accepted netcdf 1:4.9.2-6 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-05-07] netcdf 1:4.9.2-5 MIGRATED to testing (Debian testing watch)
[2024-05-07] netcdf 1:4.9.2-5 MIGRATED to testing (Debian testing watch)
[2024-03-02] Accepted netcdf 1:4.9.2-5 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-03-02] netcdf 1:4.9.2-4 MIGRATED to testing (Debian testing watch)
[2024-02-28] Accepted netcdf 1:4.9.2-4 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-02-05] Accepted netcdf 1:4.9.2-4~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-02-05] Accepted netcdf 1:4.9.2-3.1~exp1 (source) into experimental (Graham Inggs)
[2023-12-19] netcdf 1:4.9.2-3 MIGRATED to testing (Debian testing watch)
[2023-12-16] Accepted netcdf 1:4.9.2-3 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-09-09] netcdf 1:4.9.2-2 MIGRATED to testing (Debian testing watch)
[2023-09-09] netcdf 1:4.9.2-2 MIGRATED to testing (Debian testing watch)
[2023-09-04] Accepted netcdf 1:4.9.2-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-06-20] netcdf 1:4.9.2-1 MIGRATED to testing (Debian testing watch)
[2023-06-13] Accepted netcdf 1:4.9.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-03-15] Accepted netcdf 1:4.9.2-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-02-06] Accepted netcdf 1:4.9.1-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2022-11-22] Accepted netcdf 1:4.9.1~rc2-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2022-10-22] Accepted netcdf 1:4.9.1~rc1-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2022-08-04] netcdf 1:4.9.0-3 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, exp, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:4.9.3-1build2
6 bugs