FS#70970 - [lz4] [security] CVE-2021-3520

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Friday, 21 May 2021, 14:49 GMT
Last edited by Jonas Witschel (diabonas) - Sunday, 23 May 2021, 19:01 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Sébastien Luttringer (seblu)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The lz4 package is vulnerable to CVE-2021-3520.

Additional info:
The following commit fixes it, but has not been in a release yet:

This task depends upon

Closed by  Jonas Witschel (diabonas)
Sunday, 23 May 2021, 19:01 GMT
Reason for closing:  Fixed
Additional comments about closing:  lz4 1:1.9.3-2
Comment by Sébastien Luttringer (seblu) - Friday, 21 May 2021, 15:27 GMT
Thanks for the watch.. Package is in [testing].
Comment by T.J. Townsend (blakkheim) - Sunday, 23 May 2021, 16:59 GMT
This can be closed now.