diff options
author | Dana Robinson <43805+derobins@users.noreply.github.com> | 2023-08-30 12:39:33 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-30 12:39:33 (GMT) |
commit | 4646ac859c5c1ba45c8b864a0dbc713525467d1a (patch) | |
tree | 002a3f3a180cc40aa87133c895b66e0ca82ac38e /release_docs | |
parent | 8063108578873e512c4e5432955086c0bb04b878 (diff) | |
download | hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.zip hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.tar.gz hdf5-4646ac859c5c1ba45c8b864a0dbc713525467d1a.tar.bz2 |
Bring CVE fixes from develop (#3447)
* Bring CVE fixes from develop
* Fix for CVE-2018-15671
* Fix for CVE-2016-4332
* Update the CVE matrix
Diffstat (limited to 'release_docs')
-rw-r--r-- | release_docs/RELEASE.txt | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 40faff6..db6b27a 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -109,6 +109,18 @@ Bug Fixes since HDF5-1.14.2 release =================================== Library ------- + - Fixed an assertion in a previous fix for CVE-2016-4332 + + An assert could fail when processing corrupt files that have invalid + shared message flags (as in CVE-2016-4332). + + The assert statement in question has been replaced with pointer checks + that don't raise errors. Since the function is in cleanup code, we do + our best to close and free things, even when presented with partially + initialized structs. + + Fixes CVE-2016-4332 and HDFFV-9950 (confirmed via the cve_hdf5 repo) + - Fixed performance regression with some compound type conversions In-place type conversion was introduced for most use cases in 1.14.2. @@ -119,8 +131,6 @@ Bug Fixes since HDF5-1.14.2 release this optimized conversion and there is no benefit in terms of the I/O size. - - Fixed an assertion in a previous fix for CVE-2016-4332 - Java Library ------------ |