Security: please update cfitsio

[olebole]

A new version of cfitsio just came out, accompanied with the following notice from upstream:

The NASA security team requires the following warning to all users of CFITSIO:

The CFITSIO open source software project contains vulnerabilities that could allow a remote, unauthenticated attacker to take control of a server running the CFITSIO software. These vulnerabilities affect all servers and products running the CFITSIO software.
The CFITSIO team has released software updates to address these vulnerabilities. There are no workarounds to address these vulnerabilities. In all cases, the CFITSIO team is recommending an immediate update to resolve the issues.

It is still unclear what the exact problem is (see discussion in Debian bug #892458), but it may be wise to update cfitsio in 3.X and 2.X and to create a new point release.

[MSeifert04]

If I remember correctly @mhvk did the last cfitsio update. Could you check if it's easy for you (you did have some scripts?) to do another update?

[MSeifert04]

Ups, I fat-fingered the "close and comment" button there. Sorry.

[drdavella]

@MSeifert04 I was starting to look into this and was operating under the assumption that I could just drop the new files into place. Maybe it's not that easy, though?

[MSeifert04]

I don't remember exactly, you could have a look at #6477

[drdavella]

Will do, thanks.

[MSeifert04]

FWIW: https://github.com/astropy/astropy/blob/master/cextern/trim_cfitsio.sh seems to be the relevant script...

[drdavella]

Yes, I just noticed that as well, thanks 👍