From 3f0655a0a42beaf114c00fbe9cd5e801d59c83b6 Mon Sep 17 00:00:00 2001
From: Larry Knox <lrknox@hdfgroup.org>
Date: Wed, 15 Aug 2018 07:51:19 -0500
Subject: Merge pull request #1190 in HDFFV/hdf5 from
 ~BMRIBLER/hdf5_1_10_3-bmr:hdf5_1_10_3 to hdf5_1_10_3

* commit 'fae6c2fea419eb018414a9eed78a23e133a3660b':
  Revised entry on CVE issues
  Added notes about CVE issues
---
 release_docs/RELEASE.txt | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index d757ebf..a38ac3a 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -269,6 +269,39 @@ Bug Fixes since HDF5-1.10.2 release
 
       (JTH - 2018/08/02, HDFFV-10512)
 
+    - User's patches: CVEs
+
+      The following patches have been applied:
+
+      CVE-2018-11202 - NULL pointer dereference was discovered in
+                       H5S_hyper_make_spans in H5Shyper.c (HDFFV-10476)
+        https://security-tracker.debian.org/tracker/CVE-2018-11202
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-11202
+
+      CVE-2018-11203 - A division by zero was discovered in
+                       H5D__btree_decode_key in H5Dbtree.c (HDFFV-10477)
+        https://security-tracker.debian.org/tracker/CVE-2018-11203
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-11203
+
+      CVE-2018-11204 - A NULL pointer dereference was discovered in
+                       H5O__chunk_deserialize in H5Ocache.c (HDFFV-10478)
+        https://security-tracker.debian.org/tracker/CVE-2018-11204
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-11204
+
+      CVE-2018-11206 - An out of bound read was discovered in
+                       H5O_fill_new_decode and H5O_fill_old_decode in H5Ofill.c
+                       (HDFFV-10480)
+        https://security-tracker.debian.org/tracker/CVE-2018-11206
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-11206
+
+      CVE-2018-11207 - A division by zero was discovered in
+                       H5D__chunk_init in H5Dchunk.c  (HDFFV-10481)
+        https://security-tracker.debian.org/tracker/CVE-2018-11207
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-11207
+
+      (BMR - 2018/7/22, PR#s: 1134 and 1139,
+       HDFFV-10476, HDFFV-10477, HDFFV-10478, HDFFV-10480, HDFFV-10481)
+
     - H5Adelete
 
       H5Adelete failed when deleting the last "large" attribute that
@@ -349,6 +382,7 @@ Bug Fixes since HDF5-1.10.2 release
 
       (DER - 2018/02/26, HDFFV-10356)
 
+
     Configuration
     -------------
     - Applied patches to address Cywin build issues
-- 
cgit v0.12