Source: lz4 Version: 1.9.1-2 Severity: important Tags: security upstream Hi,
The following vulnerability was published for lz4. CVE-2019-17543[0]: | LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 | (related to LZ4_compress_destSize), affecting applications that call | LZ4_compress_fast with a large input. (This issue can also lead to | data corruption.) NOTE: the vendor states "only a few specific / | uncommon usages of the API are at risk." If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17543 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543 I think for unstable moving to 1.9.2 is the best option. For buster and stretch the issue is not worth a DSA, given this only affect very specific and uncommon usages of the API. Regards, Salvatore