Your message dated Mon, 30 Mar 2026 09:00:58 +0200
with message-id <[email protected]>
and subject line Re: Accepted zlib 1:1.3.dfsg+really1.3.2-1 (source) into
unstable
has caused the Debian Bug report #1128336,
regarding zlib: CVE-2026-27171
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128336: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128336
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: zlib
Version: 1:1.3.dfsg+really1.3.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/madler/zlib/issues/904
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for zlib.
CVE-2026-27171[0]:
| zlib before 1.3.2 allows CPU consumption via crc32_combine64 and
| crc32_combine_gen64 because x2nmodp can do right shifts within a
| loop that has no termination condition.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27171
https://www.cve.org/CVERecord?id=CVE-2026-27171
[1] https://github.com/madler/zlib/issues/904
[2]
https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: zlib
Source-Version: 1:1.3.dfsg+really1.3.2-1
On Thu, Mar 26, 2026 at 11:19:04PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Tue, 24 Mar 2026 01:05:33 +0000
> Source: zlib
> Architecture: source
> Version: 1:1.3.dfsg+really1.3.2-1
> Distribution: unstable
> Urgency: low
> Maintainer: Mark Brown <[email protected]>
> Changed-By: Mark Brown <[email protected]>
> Closes: 1126919
> Changes:
> zlib (1:1.3.dfsg+really1.3.2-1) unstable; urgency=low
> .
> * New upstream release.
> * Don't create /lib, patch from Michael Biebl (closes: #1126919).
> * minizip now has a testsuite, run it.
> * Bump debhelper compat to 15 (no changes).
> Checksums-Sha1:
> 82bb04c830d176c18de76d924640ab51702e4036 2682 zlib_1.3.dfsg+really1.3.2-1.dsc
> 4db0dac92273fb295e6064d9be076e124f6c71bd 1295859
> zlib_1.3.dfsg+really1.3.2.orig.tar.gz
> c19d594f44ff14323135d5a6f8a90fcd3311d50e 17304
> zlib_1.3.dfsg+really1.3.2-1.debian.tar.xz
> Checksums-Sha256:
> b07e762df3d4cfdc511b3d6ea113aaf844a5bf026bdb379570f9889c170650e8 2682
> zlib_1.3.dfsg+really1.3.2-1.dsc
> 7b6903eb019983987b7112eccf90f1703f1c6c0e0cede36564bf611d19ca579d 1295859
> zlib_1.3.dfsg+really1.3.2.orig.tar.gz
> ac920f71b02b139c6ab48e9b4c261fd35ab6e715b9ea420859438536357f404f 17304
> zlib_1.3.dfsg+really1.3.2-1.debian.tar.xz
> Files:
> 5df2df44f513a79b7aa0c8eb1ceeb305 2682 libs optional
> zlib_1.3.dfsg+really1.3.2-1.dsc
> af03446d28642e6dd3ff0bfedf8bb044 1295859 libs optional
> zlib_1.3.dfsg+really1.3.2.orig.tar.gz
> 805231597450cb4f68dfdbffa7dbd1d0 17304 libs optional
> zlib_1.3.dfsg+really1.3.2-1.debian.tar.xz
>
> -----BEGIN PGP SIGNATURE-----
>
> iQFHBAEBCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmnFjs4THGJyb29uaWVA
> ZGViaWFuLm9yZwAKCRAk1otyXVSH0PXGB/4g/4vgCnHDAjIudKFkbe+BcFShirkm
> pT6wu/TOqi39mnq9ozpoR8KT7iHeRPlFvfiOHWsdKpZs4CF9R2C4sXf2uRnSyZ20
> rraI/9udcbTmaSC0rVJ2cgPRRrMFk96697BEkKL+tOAhv4mwbLdunP96HPUxAYYT
> VgdZO3AVnE60kHF+dQ1dg6HsIV7uNyVIZl9NgJySoro4WuSYEY6r1gZmuYmnx0MG
> PKIDHkxzYO+GFa1aLgs8wrXy6lDcndt7iUhDAslAuEn3qKaFOTAE4vz8z4yw6w9u
> 3BdSA/7Pm7btR4Z5shjvHtb1rnbSlc82kbsf3ejCDG/tuh76/F3ij6hv
> =kjvz
> -----END PGP SIGNATURE-----
--- End Message ---
