openSUSE Security Update: Security update for zstd
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2019:2008-1
Rating:             moderate
References:         #1082318 #1133297 #1142941 
Cross-References:   CVE-2019-11922
Affected Products:
                    openSUSE Backports SLE-15-SP1
                    openSUSE Backports SLE-15
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:

   This update for zstd fixes the following issues:

   - Update to version 1.4.2:
     * bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
     * bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
     * bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)
     * misc: Validate blocks are smaller than size limit by @vivekmig (#1685)
     * misc: Restructure source files by @ephiepark (#1679)

   - Update to version 1.4.1:
     * bug: Fix data corruption in niche use cases by @terrelln (#1659)
     * bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594,
       #1595)
     * bug: Fix out of bounds read by @terrelln (#1590)
     * perf: Improve decode speed by ~7% @mgrice (#1668)
     * perf: Slightly improved compression ratio of level 3 and 4
       (ZSTD_dfast) by @cyan4973 (#1681)
     * perf: Slightly faster compression speed when re-using a context by
       @cyan4973 (#1658)
     * perf: Improve compression ratio for small windowLog by @cyan4973
       (#1624)
     * perf: Faster compression speed in high compression mode for repetitive
       data by @terrelln (#1635)
     * api: Add parameter to generate smaller dictionaries by @tyler-tran
       (#1656)
     * cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
     * cli: Expose cpu load indicator for each file on -vv mode by @ephiepark
       (#1631)
     * cli: Restrict read permissions on destination files by @chungy (#1644)
     * cli: zstdgrep: handle -f flag by @felixhandte (#1618)
     * cli: zstdcat: follow symlinks by @vejnar (#1604)
     * doc: Remove extra size limit on compressed blocks by @felixhandte
       (#1689)
     * doc: Fix typo by @yk-tanigawa (#1633)
     * doc: Improve documentation on streaming buffer sizes by @cyan4973
       (#1629)
     * build: CMake: support building with LZ4 @leeyoung624 (#1626)
     * build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
     * build: CMake: respect existing uninstall target by @j301scott (#1619)
     * build: Make: skip multithread tests when built without support by
       @michaelforney (#1620)
     * build: Make: Fix examples/ test target by @sjnam (#1603)
     * build: Meson: rename options out of deprecated namespace by @lzutao
       (#1665)
     * build: Meson: fix build by @lzutao (#1602)
     * build: Visual Studio: don't export symbols in static lib by @scharan
       (#1650)
     * build: Visual Studio: fix linking by @absotively (#1639)
     * build: Fix MinGW-W64 build by @myzhang1029 (#1600)
     * misc: Expand decodecorpus coverage by @ephiepark (#1664)

   - Add baselibs.conf: libarchive gained zstd support and provides
     -32bit libraries. This means, zstd also needs to provide -32bit libs.

   - Update to new upstream release 1.4.0
     * perf: level 1 compression speed was improved
     * cli: added --[no-]compress-literals flag to enable or disable literal
       compression
   - Reword "real-time" in description by some actual statistics, because
     603MB/s (lowest zstd level) is not "real-time" for quite some
     applications.

   - zstd 1.3.8:
     * better decompression speed on large files (+7%) and cold dictionaries
       (+15%)
     * slightly better compression ratio at high compression modes
     * new --rsyncable mode
     * support decompression of empty frames into NULL (used to be an error)
     * support ZSTD_CLEVEL environment variable
     * --no-progress flag, preserving final summary
     * various CLI fixes
     * fix race condition in one-pass compression functions that could allow
       out of bounds write (CVE-2019-11922, boo#1142941)

   - zstd 1.3.7:
     * fix ratio for dictionary compression at levels 9 and 10
     * add man pages for zstdless and zstdgrep
   - includes changes from zstd 1.3.6:
     * faster dictionary builder, also the new default for --train
     * previous (slower, slightly higher quality) dictionary builder to be
       selected via --train-cover
     * Faster dictionary decompression and compression under memory limits
       with many dictionaries used simultaneously
     * New command --adapt for compressed network piping of data adjusted to
       the perceived network conditions

   - update to 1.3.5:
     * much faster dictionary compression
     * small quality improvement for dictionary generation
     * slightly improved performance at high compression levels
     * automatic memory release for long duration contexts
     * fix overlapLog can be manually set
     * fix decoding invalid lz4 frames
     * fix performance degradation for dictionary compression when using
       advanced API

   - fix pzstd tests
   - enable pzstd (parallel zstd)

   - Use %license instead of %doc [boo#1082318]
   - Add disk _constraints to fix ppc64le build
   - Use FAT LTO objects in order to provide proper static library
     (boo#1133297).


   This update was imported from the openSUSE:Leap:15.0:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP1:

      zypper in -t patch openSUSE-2019-2008=1

   - openSUSE Backports SLE-15:

      zypper in -t patch openSUSE-2019-2008=1



Package List:

   - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):

      libzstd-devel-1.4.2-bp151.4.3.1
      libzstd-devel-static-1.4.2-bp151.4.3.1
      libzstd1-1.4.2-bp151.4.3.1
      libzstd1-debuginfo-1.4.2-bp151.4.3.1
      zstd-1.4.2-bp151.4.3.1
      zstd-debuginfo-1.4.2-bp151.4.3.1
      zstd-debugsource-1.4.2-bp151.4.3.1

   - openSUSE Backports SLE-15-SP1 (aarch64_ilp32):

      libzstd1-64bit-1.4.2-bp151.4.3.1
      libzstd1-64bit-debuginfo-1.4.2-bp151.4.3.1

   - openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):

      libzstd-devel-1.4.2-bp150.3.3.1
      libzstd-devel-static-1.4.2-bp150.3.3.1
      libzstd1-1.4.2-bp150.3.3.1
      zstd-1.4.2-bp150.3.3.1

   - openSUSE Backports SLE-15 (aarch64_ilp32):

      libzstd1-64bit-1.4.2-bp150.3.3.1


References:

   https://www.suse.com/security/cve/CVE-2019-11922.html
   https://bugzilla.suse.com/1082318
   https://bugzilla.suse.com/1133297
   https://bugzilla.suse.com/1142941

--

openSUSE: 2019:2008-1: moderate: zstd

August 24, 2019
An update that solves one vulnerability and has two fixes is now available.

Description

This update for zstd fixes the following issues: - Update to version 1.4.2: * bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696) * bug: Fix seekable decompression in-memory API by @iburinoc (#1695) * bug: Close minor memory leak in CLI by @LeeYoung624 (#1701) * misc: Validate blocks are smaller than size limit by @vivekmig (#1685) * misc: Restructure source files by @ephiepark (#1679) - Update to version 1.4.1: * bug: Fix data corruption in niche use cases by @terrelln (#1659) * bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594, #1595) * bug: Fix out of bounds read by @terrelln (#1590) * perf: Improve decode speed by ~7% @mgrice (#1668) * perf: Slightly improved compression ratio of level 3 and 4 (ZSTD_dfast) by @cyan4973 (#1681) * perf: Slightly faster compression speed when re-using a context by @cyan4973 (#1658) * perf: Improve compression ratio for small windowLog by @cyan4973 (#1624) * perf: Faster compression speed in high compression mode for repetitive data by @terrelln (#1635) * api: Add parameter to generate smaller dictionaries by @tyler-tran (#1656) * cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640) * cli: Expose cpu load indicator for each file on -vv mode by @ephiepark (#1631) * cli: Restrict read permissions on destination files by @chungy (#1644) * cli: zstdgrep: handle -f flag by @felixhandte (#1618) * cli: zstdcat: follow symlinks by @vejnar (#1604) * doc: Remove extra size limit on compressed blocks by @felixhandte (#1689) * doc: Fix typo by @yk-tanigawa (#1633) * doc: Improve documentation on streaming buffer sizes by @cyan4973 (#1629) * build: CMake: support building with LZ4 @leeyoung624 (#1626) * build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647) * build: CMake: respect existing uninstall target by @j301scott (#1619) * build: Make: skip multithread tests when built without support by @michaelforney (#1620) * build: Make: Fix examples/ test target by @sjnam (#1603) * build: Meson: rename options out of deprecated namespace by @lzutao (#1665) * build: Meson: fix build by @lzutao (#1602) * build: Visual Studio: don't export symbols in static lib by @scharan (#1650) * build: Visual Studio: fix linking by @absotively (#1639) * build: Fix MinGW-W64 build by @myzhang1029 (#1600) * misc: Expand decodecorpus coverage by @ephiepark (#1664) - Add baselibs.conf: libarchive gained zstd support and provides -32bit libraries. This means, zstd also needs to provide -32bit libs. - Update to new upstream release 1.4.0 * perf: level 1 compression speed was improved * cli: added --[no-]compress-literals flag to enable or disable literal compression - Reword "real-time" in description by some actual statistics, because 603MB/s (lowest zstd level) is not "real-time" for quite some applications. - zstd 1.3.8: * better decompression speed on large files (+7%) and cold dictionaries (+15%) * slightly better compression ratio at high compression modes * new --rsyncable mode * support decompression of empty frames into NULL (used to be an error) * support ZSTD_CLEVEL environment variable * --no-progress flag, preserving final summary * various CLI fixes * fix race condition in one-pass compression functions that could allow out of bounds write (CVE-2019-11922, boo#1142941) - zstd 1.3.7: * fix ratio for dictionary compression at levels 9 and 10 * add man pages for zstdless and zstdgrep - includes changes from zstd 1.3.6: * faster dictionary builder, also the new default for --train * previous (slower, slightly higher quality) dictionary builder to be selected via --train-cover * Faster dictionary decompression and compression under memory limits with many dictionaries used simultaneously * New command --adapt for compressed network piping of data adjusted to the perceived network conditions - update to 1.3.5: * much faster dictionary compression * small quality improvement for dictionary generation * slightly improved performance at high compression levels * automatic memory release for long duration contexts * fix overlapLog can be manually set * fix decoding invalid lz4 frames * fix performance degradation for dictionary compression when using advanced API - fix pzstd tests - enable pzstd (parallel zstd) - Use %license instead of %doc [boo#1082318] - Add disk _constraints to fix ppc64le build - Use FAT LTO objects in order to provide proper static library (boo#1133297). This update was imported from the openSUSE:Leap:15.0:Update update project.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2019-2008=1 - openSUSE Backports SLE-15: zypper in -t patch openSUSE-2019-2008=1


Package List

- openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64): libzstd-devel-1.4.2-bp151.4.3.1 libzstd-devel-static-1.4.2-bp151.4.3.1 libzstd1-1.4.2-bp151.4.3.1 libzstd1-debuginfo-1.4.2-bp151.4.3.1 zstd-1.4.2-bp151.4.3.1 zstd-debuginfo-1.4.2-bp151.4.3.1 zstd-debugsource-1.4.2-bp151.4.3.1 - openSUSE Backports SLE-15-SP1 (aarch64_ilp32): libzstd1-64bit-1.4.2-bp151.4.3.1 libzstd1-64bit-debuginfo-1.4.2-bp151.4.3.1 - openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64): libzstd-devel-1.4.2-bp150.3.3.1 libzstd-devel-static-1.4.2-bp150.3.3.1 libzstd1-1.4.2-bp150.3.3.1 zstd-1.4.2-bp150.3.3.1 - openSUSE Backports SLE-15 (aarch64_ilp32): libzstd1-64bit-1.4.2-bp150.3.3.1


References

https://www.suse.com/security/cve/CVE-2019-11922.html https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1133297 https://bugzilla.suse.com/1142941--


Severity
Announcement ID: openSUSE-SU-2019:2008-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP1 openSUSE Backports SLE-15 le.

Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved