Bring CVE fixes from develop (#3447)

* Bring CVE fixes from develop

* Fix for CVE-2018-15671
* Fix for CVE-2016-4332

* Update the CVE matrix

1 files changed, 12 insertions, 2 deletions

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index 40faff6..db6b27a 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -109,6 +109,18 @@ Bug Fixes since HDF5-1.14.2 release
 ===================================
     Library
     -------
+    - Fixed an assertion in a previous fix for CVE-2016-4332
+
+      An assert could fail when processing corrupt files that have invalid
+      shared message flags (as in CVE-2016-4332).
+
+      The assert statement in question has been replaced with pointer checks
+      that don't raise errors. Since the function is in cleanup code, we do
+      our best to close and free things, even when presented with partially
+      initialized structs.
+
+      Fixes CVE-2016-4332 and HDFFV-9950 (confirmed via the cve_hdf5 repo)
+
     - Fixed performance regression with some compound type conversions
 
       In-place type conversion was introduced for most use cases in 1.14.2.
@@ -119,8 +131,6 @@ Bug Fixes since HDF5-1.14.2 release
       this optimized conversion and there is no benefit in terms of the I/O
       size.
 
-    - Fixed an assertion in a previous fix for CVE-2016-4332
-
 
     Java Library
     ------------