Add release note for HDFFV-11150 fix. (#1106)

* Add release note for HDFFV-11150 fix. * Add note about gif tool CVEs.
2025-03-31 17:10:47 +08:00 · 2021-10-21 16:08:05 -05:00 · 2021-10-21 16:08:05 -05:00 · f9a57500ca
commit f9a57500ca
parent 76c77a242c
1 changed files with 23 additions and 1 deletions
--- a/release_docs/RELEASE.txt
+++ b/release_docs/RELEASE.txt
@ -66,7 +66,13 @@ New Features
      that default ON/enabled.

      Add configure options (autotools - CMake):
-            enable-hltools       HDF5_BUILD_HL_TOOLS
+            --enable-hltools       HDF5_BUILD_HL_TOOLS
+
+      Disabling this option prevents building the gif tool which
+      contains the following CVEs:
+          HDFFV-10592 CVE-2018-17433
+          HDFFV-10593 CVE-2018-17436
+          HDFFV-11048 CVE-2020-10809

      (ADB - 2021/09/16, HDFFV-11266)

@ -1100,6 +1106,14 @@ Bug Fixes since HDF5-1.12.0 release

        (ADB - 2021/03/03, #361)

+    - Fixed a segmentation fault
+
+      A segmentation fault occurred with a Mathworks corrupted file.
+
+      A detection of accessing a null pointer was added to prevent the problem.
+
+      (BMR - 2021/02/19, HDFFV-11150)
+
    - Fixed issue with MPI communicator and info object not being
      copied into new FAPL retrieved from H5F_get_access_plist

@ -1657,3 +1671,11 @@ The share folder will have the most differences because CMake builds include
 a number of CMake specific files for support of CMake's find_package and support
 for the HDF5 Examples CMake project.

+The issues with the gif tool are:
+    HDFFV-10592 CVE-2018-17433
+    HDFFV-10593 CVE-2018-17436
+    HDFFV-11048 CVE-2020-10809
+These CVE issues have not yet been addressed and can be avoided by not building
+the gif tool. Disable building the High-Level tools with these options:
+    autotools:   --disable-hltools
+    cmake:       HDF5_BUILD_HL_TOOLS=OFF