Your message dated Wed, 26 May 2021 19:02:13 +0000 with message-id <e1llynf-000e8l...@fasolo.debian.org> and subject line Bug#987856: fixed in lz4 1.8.3-1+deb10u1 has caused the Debian Bug report #987856, regarding lz4: CVE-2021-3520 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 987856: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987856 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: lz4 Version: 1.9.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/lz4/lz4/pull/972 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for lz4. CVE-2021-3520[0]: | memory corruption due to an integer overflow bug caused by memmove | argument If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3520 [1] https://github.com/lz4/lz4/pull/972 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: lz4 Source-Version: 1.8.3-1+deb10u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of lz4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 987...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated lz4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 16 May 2021 21:23:00 +0200 Source: lz4 Architecture: source Version: 1.8.3-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Nobuhiro Iwamatsu <iwama...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 987856 Changes: lz4 (1.8.3-1+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Fix potential memory corruption with negative memmove() size (CVE-2021-3520) (Closes: #987856) Checksums-Sha1: 523306e8abe0d3d8464f16f10d6c033ecce2c3ca 2119 lz4_1.8.3-1+deb10u1.dsc 070867abcd93a7245b80ec6fc2ced27c6b8e3e0c 327897 lz4_1.8.3.orig.tar.gz 082a0f1d19e4080d6392af14fd51851f98d2d8bf 12068 lz4_1.8.3-1+deb10u1.debian.tar.xz Checksums-Sha256: 22a32d93f1e1525efd33e80b8c8ffb9ad74b5baf441aa3534e875523d9b5eb93 2119 lz4_1.8.3-1+deb10u1.dsc 33af5936ac06536805f9745e0b6d61da606a1f8b4cc5c04dd3cbaca3b9b4fc43 327897 lz4_1.8.3.orig.tar.gz 6d9896c90c93f312af743b2c6ea1b62ba8defe8696acf7a009bed03b012db60a 12068 lz4_1.8.3-1+deb10u1.debian.tar.xz Files: 3f93f567d8b9255a919d64d674c81531 2119 utils optional lz4_1.8.3-1+deb10u1.dsc d5ce78f7b1b76002bbfffa6f78a5fc4e 327897 utils optional lz4_1.8.3.orig.tar.gz f9ccaf68e0dc7bd5a8e076bcd02c26f5 12068 utils optional lz4_1.8.3-1+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmChdyNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Eh/AP/0mE+t2wo7APXRy51iHugmWUNtGzuMa1 NN/zhqM2Oi723mtPTRLUdRciquhGhEzksoLSLB1mjbZGC3BdLKbG32zwL78UGOxE VTZ7uVZ6ayLwrXuMwmPDEufHpMs5K+C2HHbx44FM7AJlZ+AHqX5T6QSZvPS5YYA9 9GJqkisTz6WF/gAwx/TPmHBIfr7jya99+6qULLc72FIzUii1pgD2YW/I1u/+oQXS p0J0fjzYfNtrfsI0Bj3GVLvOIYI0viQRliJaCGRiUHpYAHQt8QhiyJ6zqPFNRjvf QmDjFslMautIb8mggKfqGi8/79YVS1nPTL3w9skXXyFfg06oMj70gxDneHhlIW65 hD1j6ps6fWxVjcJLVrDwLw1BBkojqxWTv+WkxD7AgZKe+sncizmCpR/DvSzurkBi HEE1aQdy4FM+Rc5uKSzWJcUBXyYIHcQQJ6n9/9WftUUzVn5Eg9kCYZUJFmpltpda q7/f4o9wZYtyUqiKdE24BKDTVoI77PAy7eMoB1BgJUQdfNz26stKWTzCMK4YYkSl yspeVw6h3L37HFdLmznVzqX4qBiZbtPHAMLlfrlAmBH3FSieY30jvrIs/gbDpbjn S8VxKJINq1EOAXo+QgAsHr1SVKszl6PAkT8xJfDjQbbcyxE+/nVDMb+bfrsWbzJC HdEDlmDqgVhm =LTKh -----END PGP SIGNATURE-----
--- End Message ---
