Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#70970 - [lz4] [security] CVE-2021-3520

Attached to Project: Arch Linux
Opened by mysta (mysta) - Friday, 21 May 2021, 14:49 GMT
Last edited by Jonas Witschel (diabonas) - Sunday, 23 May 2021, 19:01 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To S├ębastien Luttringer (seblu)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The lz4 package is vulnerable to CVE-2021-3520.

Additional info:
The following commit fixes it, but has not been in a release yet:
This task depends upon

Closed by  Jonas Witschel (diabonas)
Sunday, 23 May 2021, 19:01 GMT
Reason for closing:  Fixed
Additional comments about closing:  lz4 1:1.9.3-2
Comment by S├ębastien Luttringer (seblu) - Friday, 21 May 2021, 15:27 GMT
Thanks for the watch.. Package is in [testing].
Comment by mysta (mysta) - Sunday, 23 May 2021, 16:59 GMT
This can be closed now.