Login
Newsletter
Werbung
Sicherheit: Ausführen beliebiger Kommandos in zstd
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in zstd
ID: openSUSE-SU-2019:2008-1
Distribution: SUSE
Plattformen: openSUSE Backports SLE-15, openSUSE Backports SLE-15-SP1
Datum: So, 25. August 2019, 08:43
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922
Applikationen: Zstandard

Originalnachricht

 
   openSUSE Security Update: Security update for zstd
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2019:2008-1
Rating:             moderate
References:         #1082318 #1133297 #1142941 
Cross-References:   CVE-2019-11922
Affected Products:
                    openSUSE Backports SLE-15-SP1
                    openSUSE Backports SLE-15
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:

   This update for zstd fixes the following issues:

   - Update to version 1.4.2:
     * bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
     * bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
     * bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)
     * misc: Validate blocks are smaller than size limit by @vivekmig (#1685)
     * misc: Restructure source files by @ephiepark (#1679)

   - Update to version 1.4.1:
     * bug: Fix data corruption in niche use cases by @terrelln (#1659)
     * bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594,
       #1595)
     * bug: Fix out of bounds read by @terrelln (#1590)
     * perf: Improve decode speed by ~7% @mgrice (#1668)
     * perf: Slightly improved compression ratio of level 3 and 4
       (ZSTD_dfast) by @cyan4973 (#1681)
     * perf: Slightly faster compression speed when re-using a context by
       @cyan4973 (#1658)
     * perf: Improve compression ratio for small windowLog by @cyan4973
       (#1624)
     * perf: Faster compression speed in high compression mode for repetitive
       data by @terrelln (#1635)
     * api: Add parameter to generate smaller dictionaries by @tyler-tran
       (#1656)
     * cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
     * cli: Expose cpu load indicator for each file on -vv mode by @ephiepark
       (#1631)
     * cli: Restrict read permissions on destination files by @chungy (#1644)
     * cli: zstdgrep: handle -f flag by @felixhandte (#1618)
     * cli: zstdcat: follow symlinks by @vejnar (#1604)
     * doc: Remove extra size limit on compressed blocks by @felixhandte
       (#1689)
     * doc: Fix typo by @yk-tanigawa (#1633)
     * doc: Improve documentation on streaming buffer sizes by @cyan4973
       (#1629)
     * build: CMake: support building with LZ4 @leeyoung624 (#1626)
     * build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
     * build: CMake: respect existing uninstall target by @j301scott (#1619)
     * build: Make: skip multithread tests when built without support by
       @michaelforney (#1620)
     * build: Make: Fix examples/ test target by @sjnam (#1603)
     * build: Meson: rename options out of deprecated namespace by @lzutao
       (#1665)
     * build: Meson: fix build by @lzutao (#1602)
     * build: Visual Studio: don't export symbols in static lib by @scharan
       (#1650)
     * build: Visual Studio: fix linking by @absotively (#1639)
     * build: Fix MinGW-W64 build by @myzhang1029 (#1600)
     * misc: Expand decodecorpus coverage by @ephiepark (#1664)

   - Add baselibs.conf: libarchive gained zstd support and provides
     -32bit libraries. This means, zstd also needs to provide -32bit libs.

   - Update to new upstream release 1.4.0
     * perf: level 1 compression speed was improved
     * cli: added --[no-]compress-literals flag to enable or disable literal
       compression
   - Reword "real-time" in description by some actual statistics,
 because
     603MB/s (lowest zstd level) is not "real-time" for quite some
     applications.

   - zstd 1.3.8:
     * better decompression speed on large files (+7%) and cold dictionaries
       (+15%)
     * slightly better compression ratio at high compression modes
     * new --rsyncable mode
     * support decompression of empty frames into NULL (used to be an error)
     * support ZSTD_CLEVEL environment variable
     * --no-progress flag, preserving final summary
     * various CLI fixes
     * fix race condition in one-pass compression functions that could allow
       out of bounds write (CVE-2019-11922, boo#1142941)

   - zstd 1.3.7:
     * fix ratio for dictionary compression at levels 9 and 10
     * add man pages for zstdless and zstdgrep
   - includes changes from zstd 1.3.6:
     * faster dictionary builder, also the new default for --train
     * previous (slower, slightly higher quality) dictionary builder to be
       selected via --train-cover
     * Faster dictionary decompression and compression under memory limits
       with many dictionaries used simultaneously
     * New command --adapt for compressed network piping of data adjusted to
       the perceived network conditions

   - update to 1.3.5:
     * much faster dictionary compression
     * small quality improvement for dictionary generation
     * slightly improved performance at high compression levels
     * automatic memory release for long duration contexts
     * fix overlapLog can be manually set
     * fix decoding invalid lz4 frames
     * fix performance degradation for dictionary compression when using
       advanced API

   - fix pzstd tests
   - enable pzstd (parallel zstd)

   - Use %license instead of %doc [boo#1082318]
   - Add disk _constraints to fix ppc64le build
   - Use FAT LTO objects in order to provide proper static library
     (boo#1133297).


   This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended
 installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP1:

      zypper in -t patch openSUSE-2019-2008=1

   - openSUSE Backports SLE-15:

      zypper in -t patch openSUSE-2019-2008=1



Package List:

   - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

      libzstd-devel-1.4.2-bp151.4.3.1
      libzstd-devel-static-1.4.2-bp151.4.3.1
      libzstd1-1.4.2-bp151.4.3.1
      libzstd1-debuginfo-1.4.2-bp151.4.3.1
      zstd-1.4.2-bp151.4.3.1
      zstd-debuginfo-1.4.2-bp151.4.3.1
      zstd-debugsource-1.4.2-bp151.4.3.1

   - openSUSE Backports SLE-15-SP1 (aarch64_ilp32):

      libzstd1-64bit-1.4.2-bp151.4.3.1
      libzstd1-64bit-debuginfo-1.4.2-bp151.4.3.1

   - openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

      libzstd-devel-1.4.2-bp150.3.3.1
      libzstd-devel-static-1.4.2-bp150.3.3.1
      libzstd1-1.4.2-bp150.3.3.1
      zstd-1.4.2-bp150.3.3.1

   - openSUSE Backports SLE-15 (aarch64_ilp32):

      libzstd1-64bit-1.4.2-bp150.3.3.1


References:

   https://www.suse.com/security/cve/CVE-2019-11922.html
   https://bugzilla.suse.com/1082318
   https://bugzilla.suse.com/1133297
   https://bugzilla.suse.com/1142941

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung