[Git][security-tracker-team/security-tracker][master] CVE-2019-17543,lz4: Mark as no-dsa for Jessie
Markus Koschany
apo at debian.org
Sun Oct 20 18:54:38 BST 2019
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
94ec3449 by Markus Koschany at 2019-10-20T17:52:55Z
CVE-2019-17543,lz4: Mark as no-dsa for Jessie
According to upstream the bug is hard to exploit and the risk is low. It
requires multiple uncommon constraints on the encoder side. The CLI is immune
to this bug.
https://github.com/lz4/lz4/issues/801
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2506,6 +2506,7 @@ CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer
NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e
CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...)
- lz4 <unfixed>
+ [jessie] - lz4 <no-dsa> (Very hard to exploit, low risk)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
NOTE: https://github.com/lz4/lz4/pull/756
NOTE: https://github.com/lz4/lz4/pull/760
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/94ec344958e13019263b92d34ee38fca01bd1c00
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/94ec344958e13019263b92d34ee38fca01bd1c00
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191020/54a09ee6/attachment.html>
More information about the debian-security-tracker-commits
mailing list