Hi Thorsten, On Mon, Jun 24, 2019 at 10:24:51PM +0200, Thorsten Alteholz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Package : bzip2 > Version : 1.0.6-7+deb8u1 > CVE ID : CVE-2016-3189 CVE-2019-12900 > > > Two issues in bzip2, a high-quality block-sorting file compressor, have been > fixed. One, CVE-2019-12900, is a out-of-bounds write when using a crafted > compressed file. The other, CVE-2016-3189, is a potential user-after-free.
The update for bzip2 is affected as well by a regression due to the CVE-2019-12900 fix, cf. https://bugs.debian.org/931278 . There is now an upstream fix for this: https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13 Hope this helps, Regards, Salvatore
