openSUSE-SU-2019:1952-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2019:1952-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2019:1952-1
Related
Published
2019-08-19T11:36:36Z
Modified
2019-08-19T11:36:36Z
Summary
Security update for zstd
Details

This update for zstd fixes the following issues:

  • Update to version 1.4.2:

    • bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
    • bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
    • bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)
    • misc: Validate blocks are smaller than size limit by @vivekmig (#1685)
    • misc: Restructure source files by @ephiepark (#1679)

  • Update to version 1.4.1:

    • bug: Fix data corruption in niche use cases by @terrelln (#1659)
    • bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594, #1595)
    • bug: Fix out of bounds read by @terrelln (#1590)
    • perf: Improve decode speed by ~7% @mgrice (#1668)
    • perf: Slightly improved compression ratio of level 3 and 4 (ZSTD_dfast) by @cyan4973 (#1681)
    • perf: Slightly faster compression speed when re-using a context by @cyan4973 (#1658)
    • perf: Improve compression ratio for small windowLog by @cyan4973 (#1624)
    • perf: Faster compression speed in high compression mode for repetitive data by @terrelln (#1635)
    • api: Add parameter to generate smaller dictionaries by @tyler-tran (#1656)
    • cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
    • cli: Expose cpu load indicator for each file on -vv mode by @ephiepark (#1631)
    • cli: Restrict read permissions on destination files by @chungy (#1644)
    • cli: zstdgrep: handle -f flag by @felixhandte (#1618)
    • cli: zstdcat: follow symlinks by @vejnar (#1604)
    • doc: Remove extra size limit on compressed blocks by @felixhandte (#1689)
    • doc: Fix typo by @yk-tanigawa (#1633)
    • doc: Improve documentation on streaming buffer sizes by @cyan4973 (#1629)
    • build: CMake: support building with LZ4 @leeyoung624 (#1626)
    • build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
    • build: CMake: respect existing uninstall target by @j301scott (#1619)
    • build: Make: skip multithread tests when built without support by @michaelforney (#1620)
    • build: Make: Fix examples/ test target by @sjnam (#1603)
    • build: Meson: rename options out of deprecated namespace by @lzutao (#1665)
    • build: Meson: fix build by @lzutao (#1602)
    • build: Visual Studio: don't export symbols in static lib by @scharan (#1650)
    • build: Visual Studio: fix linking by @absotively (#1639)
    • build: Fix MinGW-W64 build by @myzhang1029 (#1600)
    • misc: Expand decodecorpus coverage by @ephiepark (#1664)

  • Add baselibs.conf: libarchive gained zstd support and provides -32bit libraries. This means, zstd also needs to provide -32bit libs.

  • Update to new upstream release 1.4.0

    • perf: level 1 compression speed was improved
    • cli: added --[no-]compress-literals flag to enable or disable literal compression

  • Reword 'real-time' in description by some actual statistics, because 603MB/s (lowest zstd level) is not 'real-time' for quite some applications.

  • zstd 1.3.8:

    • better decompression speed on large files (+7%) and cold dictionaries (+15%)
    • slightly better compression ratio at high compression modes
    • new --rsyncable mode
    • support decompression of empty frames into NULL (used to be an error)
    • support ZSTD_CLEVEL environment variable
    • --no-progress flag, preserving final summary
    • various CLI fixes
    • fix race condition in one-pass compression functions that could allow out of bounds write (CVE-2019-11922, boo#1142941)

  • zstd 1.3.7:

    • fix ratio for dictionary compression at levels 9 and 10
    • add man pages for zstdless and zstdgrep

  • includes changes from zstd 1.3.6:

    • faster dictionary builder, also the new default for --train
    • previous (slower, slightly higher quality) dictionary builder to be selected via --train-cover
    • Faster dictionary decompression and compression under memory limits with many dictionaries used simultaneously
    • New command --adapt for compressed network piping of data adjusted to the perceived network conditions

  • update to 1.3.5:

    • much faster dictionary compression
    • small quality improvement for dictionary generation
    • slightly improved performance at high compression levels
    • automatic memory release for long duration contexts
    • fix overlapLog can be manually set
    • fix decoding invalid lz4 frames
    • fix performance degradation for dictionary compression when using advanced API

  • fix pzstd tests

  • enable pzstd (parallel zstd)

  • Use %license instead of %doc [boo#1082318]

  • Add disk _constraints to fix ppc64le build
  • Use FAT LTO objects in order to provide proper static library (boo#1133297).
References

Affected packages

openSUSE:Leap 15.0 / zstd

Package

Name
zstd
Purl
pkg:rpm/opensuse/zstd&distro=openSUSE%20Leap%2015.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.2-lp150.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "libzstd-devel": "1.4.2-lp150.2.3.1",
            "libzstd1": "1.4.2-lp150.2.3.1",
            "libzstd-devel-static": "1.4.2-lp150.2.3.1",
            "zstd": "1.4.2-lp150.2.3.1"
        }
    ]
}