Conversation
|
I can't tell for sure if it's successfully using libaec to build the szip filter, but given that it was complaining about not finding it until I switched to install that with CMake too, I hope it's working. |
|
As far as you know, will this resolve (through updating the HDF5 dependency version away from v1.14.6) the CVE-2025-2153 vulnerability referenced here? Thank you! |
|
I have no specific knowledge about this CVE, but the issue is marked as fixed in HDF5 2.0, so with this PR we should pick up the fix in our pre-built h5py packages on PyPI. If it's a particular concern, I think it should be possible to build h5py from source with HDF5 2.0 already. Other package ecosystems (e.g. conda, spack, Linux distros) may move at different speeds, so they may already have the fix, or may still be unfixed even with future versions of h5py. libhdf5 is a big C library parsing a very complex file format, so regardless of any particular CVE, I would be cautious about any system which can read HDF5 files from untrusted users. |
Also a minor upgrade of libaec.