netcdf - Debian Package Tracker

general

source: netcdf (main)
version: 1:4.10.0-1
maintainer: Debian GIS Project (archive) (DMD)
uploaders: Francesco Paolo Lovergine [DMD] – Bas Couwenberg [DMD] – Nico Schlömer [DMD]
arch: all any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:4.7.4-1
oldstable: 1:4.9.0-3
stable: 1:4.9.3-1
testing: 1:4.10.0-1
unstable: 1:4.10.0-1

versioned links

1:4.7.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.9.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.9.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.10.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libnetcdf-dev
libnetcdf22
netcdf-bin
netcdf-doc

action needed

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2025-14932: NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273.
CVE-2025-14933: NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934: NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267.
CVE-2025-14935: NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.
CVE-2025-14936: NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269.

Created: 2025-12-25 Last update: 2026-03-03 05:00

5 security issues in forky high

There are 5 open security issues in forky.

5 important issues:

CVE-2025-14932: NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273.
CVE-2025-14933: NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934: NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267.
CVE-2025-14935: NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.
CVE-2025-14936: NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269.

Created: 2025-12-25 Last update: 2026-03-03 05:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1:4.10.0-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 9b754570406d6c5ad0ecba5f629dc893a249e0b0
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat Apr 4 10:54:24 2026 +0200

    Fix changelog entry.

commit 06e2caf6c234e6d5677e8364f9d2dc31772348c1
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sat Apr 4 10:15:36 2026 +0200

    Bump Standards-Version to 4.7.4, changes: priority.

commit 3e9e9ba0895e3a7c2a0ea07be1b30530261b873f
Author: Bas Couwenberg <sebastic@xs4all.nl>
Date:   Sun Mar 29 14:37:25 2026 +0200

    Enable build profile CI job.

Created: 2026-03-29 Last update: 2026-04-04 11:31

5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:

CVE-2025-14932: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273.
CVE-2025-14933: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267.
CVE-2025-14935: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.
CVE-2025-14936: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-12-25 Last update: 2026-03-03 05:00

5 low-priority security issues in bookworm low

There are 5 open security issues in bookworm.

5 issues left for the package maintainer to handle:

CVE-2025-14932: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273.
CVE-2025-14933: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266.
CVE-2025-14934: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267.
CVE-2025-14935: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.
CVE-2025-14936: (postponed; to be fixed through a stable update) NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-12-25 Last update: 2026-03-03 05:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

testing migrations

This package will soon be part of the auto-hdf5 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-03-03] netcdf 1:4.10.0-1 MIGRATED to testing (Debian testing watch)
[2026-02-28] Accepted netcdf 1:4.10.0-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-02-26] Accepted netcdf 1:4.10.0-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-02-16] netcdf 1:4.9.3-1 MIGRATED to testing (Debian testing watch)
[2025-02-14] Accepted netcdf 1:4.9.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-02-11] Accepted netcdf 1:4.9.3-1~exp2 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-02-08] Accepted netcdf 1:4.9.3-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-12-07] Accepted netcdf 1:4.9.3~rc2-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-08-15] netcdf 1:4.9.2-7 MIGRATED to testing (Debian testing watch)
[2024-08-12] Accepted netcdf 1:4.9.2-7 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-07-27] Accepted netcdf 1:4.9.3~rc1-1~exp1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2024-05-13] netcdf 1:4.9.2-6 MIGRATED to testing (Debian testing watch)
[2024-05-11] Accepted netcdf 1:4.9.2-6 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-05-07] netcdf 1:4.9.2-5 MIGRATED to testing (Debian testing watch)
[2024-05-07] netcdf 1:4.9.2-5 MIGRATED to testing (Debian testing watch)
[2024-03-02] Accepted netcdf 1:4.9.2-5 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-03-02] netcdf 1:4.9.2-4 MIGRATED to testing (Debian testing watch)
[2024-02-28] Accepted netcdf 1:4.9.2-4 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-02-05] Accepted netcdf 1:4.9.2-4~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2024-02-05] Accepted netcdf 1:4.9.2-3.1~exp1 (source) into experimental (Graham Inggs)
[2023-12-19] netcdf 1:4.9.2-3 MIGRATED to testing (Debian testing watch)
[2023-12-16] Accepted netcdf 1:4.9.2-3 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-09-09] netcdf 1:4.9.2-2 MIGRATED to testing (Debian testing watch)
[2023-09-09] netcdf 1:4.9.2-2 MIGRATED to testing (Debian testing watch)
[2023-09-04] Accepted netcdf 1:4.9.2-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-06-20] netcdf 1:4.9.2-1 MIGRATED to testing (Debian testing watch)
[2023-06-13] Accepted netcdf 1:4.9.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-03-15] Accepted netcdf 1:4.9.2-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2023-02-06] Accepted netcdf 1:4.9.1-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2022-11-22] Accepted netcdf 1:4.9.1~rc2-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:4.9.3-1build2
6 bugs