From f9a57500cae57d94444db08f636dea209cbdbf56 Mon Sep 17 00:00:00 2001 From: Larry Knox Date: Thu, 21 Oct 2021 16:08:05 -0500 Subject: Add release note for HDFFV-11150 fix. (#1106) * Add release note for HDFFV-11150 fix. * Add note about gif tool CVEs. --- release_docs/RELEASE.txt | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt index 09e0a95..f12fbb8 100644 --- a/release_docs/RELEASE.txt +++ b/release_docs/RELEASE.txt @@ -66,7 +66,13 @@ New Features that default ON/enabled. Add configure options (autotools - CMake): - enable-hltools HDF5_BUILD_HL_TOOLS + --enable-hltools HDF5_BUILD_HL_TOOLS + + Disabling this option prevents building the gif tool which + contains the following CVEs: + HDFFV-10592 CVE-2018-17433 + HDFFV-10593 CVE-2018-17436 + HDFFV-11048 CVE-2020-10809 (ADB - 2021/09/16, HDFFV-11266) @@ -1100,6 +1106,14 @@ Bug Fixes since HDF5-1.12.0 release (ADB - 2021/03/03, #361) + - Fixed a segmentation fault + + A segmentation fault occurred with a Mathworks corrupted file. + + A detection of accessing a null pointer was added to prevent the problem. + + (BMR - 2021/02/19, HDFFV-11150) + - Fixed issue with MPI communicator and info object not being copied into new FAPL retrieved from H5F_get_access_plist @@ -1657,3 +1671,11 @@ The share folder will have the most differences because CMake builds include a number of CMake specific files for support of CMake's find_package and support for the HDF5 Examples CMake project. +The issues with the gif tool are: + HDFFV-10592 CVE-2018-17433 + HDFFV-10593 CVE-2018-17436 + HDFFV-11048 CVE-2020-10809 +These CVE issues have not yet been addressed and can be avoided by not building +the gif tool. Disable building the High-Level tools with these options: + autotools: --disable-hltools + cmake: HDF5_BUILD_HL_TOOLS=OFF -- cgit v0.12