Your message dated Sat, 04 Jul 2026 13:17:35 +0000
with message-id <[email protected]>
and subject line Bug#1132497: fixed in xz-utils 5.4.1-1+deb12u1
has caused the Debian Bug report #1132497,
regarding xz-utils: CVE-2026-34743
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132497
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xz-utils
Version: 5.8.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 5.8.1-1
Control: found -1 5.4.1-1
Hi,
The following vulnerability was published for xz-utils.
CVE-2026-34743[0]:
| liblzma: Fix a buffer overflow in lzma_index_append()
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34743
https://www.cve.org/CVERecord?id=CVE-2026-34743
[1] https://tukaani.org/xz/index-append-overflow.html
[2]
https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xz-utils
Source-Version: 5.4.1-1+deb12u1
Done: Otto Kekäläinen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xz-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Otto Kekäläinen <[email protected]> (supplier of updated xz-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Jun 2026 13:13:13 +0000
Source: xz-utils
Architecture: source
Version: 5.4.1-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Sebastian Andrzej Siewior <[email protected]>
Changed-By: Otto Kekäläinen <[email protected]>
Closes: 1132497
Changes:
xz-utils (5.4.1-1+deb12u1) bookworm; urgency=medium
.
* Backport upstream security fix for CVE-2026-34743, for which upstream
states
it's likely that this bug cannot be triggered in any real-world
application,
see https://tukaani.org/xz/index-append-overflow.html (Closes: #1132497)
* Additionally backport related fix in xz to prevent an integer overflow in
--files and --files0
* Add myself as uploader and prepare gbp.conf and salsa-ci.yml for easier
maintenance of this package in Bookworm (and later potentially in LTS)
Checksums-Sha1:
9e1a34ce67b3af5a1341eec06e5859338617673c 2515 xz-utils_5.4.1-1+deb12u1.dsc
c71a3753e345a9857f3d55f415b83648f4f351b0 93600
xz-utils_5.4.1-1+deb12u1.debian.tar.xz
Checksums-Sha256:
38f98e356f7e7e89b0920d39c55dd5f3d1a9f2684bff83c8b4890561e1832e94 2515
xz-utils_5.4.1-1+deb12u1.dsc
3e162db2b76480c7e157f4c2f6ff9a426fc023f262d4dc3287530b36e2843ebe 93600
xz-utils_5.4.1-1+deb12u1.debian.tar.xz
Files:
73a929763829984791fbd6cc7caa111e 2515 utils optional
xz-utils_5.4.1-1+deb12u1.dsc
729325a9817d328d1c27bd7d0119c11d 93600 utils optional
xz-utils_5.4.1-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmpIAWMACgkQBWQfF1cS
+lsJSQv9F142NIVzehCEziDG1k9NSCEeTEn7u2JdCMOm26pzNmGuZ6AEgtFLU77S
lSp+2sMMEzab+Qu+Q9pBN/hgJBxEaBoygeRKtTWMZNxXqiBv0rlwmoG+U2yFccyU
FcTtVL+8cd1m5gqrndKpEJW4e47AYzhimdcFEfHO/JTQolBUG+nkkcPTFUqA7Kee
HpxLnJnyvrLQf5sgpMJCYhwOgw4cSsgDgXaP2kEY8CTz+oRZ52OuGFvZ7dJpGXLx
Wp/mpdQysSBw7UUrmb7cn3ch+q30wP0HqfwbVSFk/fe2yb7G8bEjK3fH5X5PXHQH
PBUMfGtWCJ2G/sHS4PBcbsNpjROI7flTdzV61x2C2EEjhTwLvznCh/GBPYVcFx12
SYXMCuq4Qf/2Fasqth1toxY0r3MhYOZa3uHIFqM55wBetRWUgL0JzDHTWBSrGvwr
lQb11Ds/jujab5DlmhiiUuhQQinln93tAA4x5yQtgo1omBobiZhNAD9eTMsSae/D
q/CpQ6ta
=HHe9
-----END PGP SIGNATURE-----
pgpSlaciEn5cK.pgp
Description: PGP signature
--- End Message ---