openSUSE: 2019:1952-1: moderate: zstd

    Date19 Aug 2019
    CategoryopenSUSE
    279
    Posted ByLinuxSecurity Advisories
    An update that solves one vulnerability and has two fixes is now available.
       openSUSE Security Update: Security update for zstd
    ______________________________________________________________________________
    
    Announcement ID:    openSUSE-SU-2019:1952-1
    Rating:             moderate
    References:         #1082318 #1133297 #1142941 
    Cross-References:   CVE-2019-11922
    Affected Products:
                        openSUSE Leap 15.0
    ______________________________________________________________________________
    
       An update that solves one vulnerability and has two fixes
       is now available.
    
    Description:
    
       This update for zstd fixes the following issues:
    
       - Update to version 1.4.2:
         * bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
         * bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
         * bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)
         * misc: Validate blocks are smaller than size limit by @vivekmig (#1685)
         * misc: Restructure source files by @ephiepark (#1679)
    
       - Update to version 1.4.1:
         * bug: Fix data corruption in niche use cases by @terrelln (#1659)
         * bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594,
           #1595)
         * bug: Fix out of bounds read by @terrelln (#1590)
         * perf: Improve decode speed by ~7% @mgrice (#1668)
         * perf: Slightly improved compression ratio of level 3 and 4
           (ZSTD_dfast) by @cyan4973 (#1681)
         * perf: Slightly faster compression speed when re-using a context by
           @cyan4973 (#1658)
         * perf: Improve compression ratio for small windowLog by @cyan4973
           (#1624)
         * perf: Faster compression speed in high compression mode for repetitive
           data by @terrelln (#1635)
         * api: Add parameter to generate smaller dictionaries by @tyler-tran
           (#1656)
         * cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
         * cli: Expose cpu load indicator for each file on -vv mode by @ephiepark
           (#1631)
         * cli: Restrict read permissions on destination files by @chungy (#1644)
         * cli: zstdgrep: handle -f flag by @felixhandte (#1618)
         * cli: zstdcat: follow symlinks by @vejnar (#1604)
         * doc: Remove extra size limit on compressed blocks by @felixhandte
           (#1689)
         * doc: Fix typo by @yk-tanigawa (#1633)
         * doc: Improve documentation on streaming buffer sizes by @cyan4973
           (#1629)
         * build: CMake: support building with LZ4 @leeyoung624 (#1626)
         * build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
         * build: CMake: respect existing uninstall target by @j301scott (#1619)
         * build: Make: skip multithread tests when built without support by
           @michaelforney (#1620)
         * build: Make: Fix examples/ test target by @sjnam (#1603)
         * build: Meson: rename options out of deprecated namespace by @lzutao
           (#1665)
         * build: Meson: fix build by @lzutao (#1602)
         * build: Visual Studio: don't export symbols in static lib by @scharan
           (#1650)
         * build: Visual Studio: fix linking by @absotively (#1639)
         * build: Fix MinGW-W64 build by @myzhang1029 (#1600)
         * misc: Expand decodecorpus coverage by @ephiepark (#1664)
    
       - Add baselibs.conf: libarchive gained zstd support and provides
         -32bit libraries. This means, zstd also needs to provide -32bit libs.
    
       - Update to new upstream release 1.4.0
         * perf: level 1 compression speed was improved
         * cli: added --[no-]compress-literals flag to enable or disable literal
           compression
       - Reword "real-time" in description by some actual statistics, because
         603MB/s (lowest zstd level) is not "real-time" for quite some
         applications.
    
       - zstd 1.3.8:
         * better decompression speed on large files (+7%) and cold dictionaries
           (+15%)
         * slightly better compression ratio at high compression modes
         * new --rsyncable mode
         * support decompression of empty frames into NULL (used to be an error)
         * support ZSTD_CLEVEL environment variable
         * --no-progress flag, preserving final summary
         * various CLI fixes
         * fix race condition in one-pass compression functions that could allow
           out of bounds write (CVE-2019-11922, boo#1142941)
    
       - zstd 1.3.7:
         * fix ratio for dictionary compression at levels 9 and 10
         * add man pages for zstdless and zstdgrep
       - includes changes from zstd 1.3.6:
         * faster dictionary builder, also the new default for --train
         * previous (slower, slightly higher quality) dictionary builder to be
           selected via --train-cover
         * Faster dictionary decompression and compression under memory limits
           with many dictionaries used simultaneously
         * New command --adapt for compressed network piping of data adjusted to
           the perceived network conditions
    
       - update to 1.3.5:
         * much faster dictionary compression
         * small quality improvement for dictionary generation
         * slightly improved performance at high compression levels
         * automatic memory release for long duration contexts
         * fix overlapLog can be manually set
         * fix decoding invalid lz4 frames
         * fix performance degradation for dictionary compression when using
           advanced API
    
       - fix pzstd tests
       - enable pzstd (parallel zstd)
    
       - Use %license instead of %doc [boo#1082318]
       - Add disk _constraints to fix ppc64le build
       - Use FAT LTO objects in order to provide proper static library
         (boo#1133297).
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Leap 15.0:
    
          zypper in -t patch openSUSE-2019-1952=1
    
    
    
    Package List:
    
       - openSUSE Leap 15.0 (x86_64):
    
          libzstd-devel-1.4.2-lp150.2.3.1
          libzstd-devel-static-1.4.2-lp150.2.3.1
          libzstd1-1.4.2-lp150.2.3.1
          libzstd1-debuginfo-1.4.2-lp150.2.3.1
          zstd-1.4.2-lp150.2.3.1
          zstd-debuginfo-1.4.2-lp150.2.3.1
          zstd-debugsource-1.4.2-lp150.2.3.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2019-11922.html
       https://bugzilla.suse.com/1082318
       https://bugzilla.suse.com/1133297
       https://bugzilla.suse.com/1142941
    
    -- 
    

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":54.17,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":16.67,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"7","type":"x","order":"3","pct":29.17,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.