From 46725b5c8691c81a5c482efdfb217203ba105510 Mon Sep 17 00:00:00 2001
From: Dana Robinson <derobins@hdfgroup.org>
Date: Thu, 28 Mar 2024 11:57:22 -0700
Subject: [PATCH] Add release note for CVE-2017-17507

---
 release_docs/RELEASE.txt | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/release_docs/RELEASE.txt b/release_docs/RELEASE.txt
index d45d9d1ee9b..28dbd2357be 100644
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@@ -693,6 +693,19 @@ Bug Fixes since HDF5-1.14.0 release
 
     Library
     -------
+    - Fixed CVE-2017-17507
+
+      This CVE was previously declared fixed, but later testing with a static
+      build of HDF5 showed that it was not fixed.
+
+      When parsing a malformed (fuzzed) compound type containing variable-length
+      string members, the library could produce a segmentation fault, crashing
+      the library.
+
+      This was fixed after GitHub PR #4234
+
+      Fixes GitHub issue #3446
+
     - Fixed a cache assert with very large metadata objects
 
       If the library tries to load a metadata object that is above a