Add release note for CVE-2017-17507

derobins · Mar 28, 2024 · 46725b5 · 46725b5
1 parent 372381c
commit 46725b5
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
@@ -693,6 +693,19 @@ Bug Fixes since HDF5-1.14.0 release
 
     Library
     -------
+    - Fixed CVE-2017-17507
+
+      This CVE was previously declared fixed, but later testing with a static
+      build of HDF5 showed that it was not fixed.
+
+      When parsing a malformed (fuzzed) compound type containing variable-length
+      string members, the library could produce a segmentation fault, crashing
+      the library.
+
+      This was fixed after GitHub PR #4234
+
+      Fixes GitHub issue #3446
+
     - Fixed a cache assert with very large metadata objects
 
       If the library tries to load a metadata object that is above a