Source: lz4-java Version: 1.8.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.8.0-4
Hi, The following vulnerabilities were published for lz4-java. CVE-2025-12183[0]: | Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and | earlier allow remote attackers to cause denial of service and read | adjacent memory via untrusted compressed input. CVE-2025-66566[1]: | yawkat LZ4 Java provides LZ4 compression for Java. Insufficient | clearing of the output buffer in Java-based decompressor | implementations in lz4-java 1.10.0 and earlier allows remote | attackers to read previous buffer contents via crafted compressed | input. In applications where the output buffer is reused without | being cleared, this may lead to disclosure of sensitive data. JNI- | based implementations are not affected. This vulnerability is fixed | in 1.10.1. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-12183 https://www.cve.org/CVERecord?id=CVE-2025-12183 https://www.openwall.com/lists/oss-security/2025/12/01/5 [1] https://security-tracker.debian.org/tracker/CVE-2025-66566 https://www.cve.org/CVERecord?id=CVE-2025-66566 https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840 Regards, Salvatore
