Detections
Analytics
openSUSE Security Update : zstd (openSUSE-2019-1952)
high Nessus Plugin ID 128015
Language:
Synopsis
The remote openSUSE host is missing a security update.Description
This update for zstd fixes the following issues :- Update to version 1.4.2 :
- bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
- bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
- bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)
- misc: Validate blocks are smaller than size limit by @vivekmig (#1685)
- misc: Restructure source files by @ephiepark (#1679)
- Update to version 1.4.1 :
- bug: Fix data corruption in niche use cases by @terrelln (#1659)
- bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594, #1595)
- bug: Fix out of bounds read by @terrelln (#1590)
- perf: Improve decode speed by ~7% @mgrice (#1668)
- perf: Slightly improved compression ratio of level 3 and 4 (ZSTD_dfast) by @cyan4973 (#1681)
- perf: Slightly faster compression speed when re-using a context by @cyan4973 (#1658)
- perf: Improve compression ratio for small windowLog by @cyan4973 (#1624)
- perf: Faster compression speed in high compression mode for repetitive data by @terrelln (#1635)
- api: Add parameter to generate smaller dictionaries by @tyler-tran (#1656)
- cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
- cli: Expose cpu load indicator for each file on -vv mode by @ephiepark (#1631)
- cli: Restrict read permissions on destination files by @chungy (#1644)
- cli: zstdgrep: handle -f flag by @felixhandte (#1618)
- cli: zstdcat: follow symlinks by @vejnar (#1604)
- doc: Remove extra size limit on compressed blocks by @felixhandte (#1689)
- doc: Fix typo by @yk-tanigawa (#1633)
- doc: Improve documentation on streaming buffer sizes by @cyan4973 (#1629)
- build: CMake: support building with LZ4 @leeyoung624 (#1626)
- build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
- build: CMake: respect existing uninstall target by @j301scott (#1619)
- build: Make: skip multithread tests when built without support by @michaelforney (#1620)
- build: Make: Fix examples/ test target by @sjnam (#1603)
- build: Meson: rename options out of deprecated namespace by @lzutao (#1665)
- build: Meson: fix build by @lzutao (#1602)
- build: Visual Studio: don't export symbols in static lib by @scharan (#1650)
- build: Visual Studio: fix linking by @absotively (#1639)
- build: Fix MinGW-W64 build by @myzhang1029 (#1600)
- misc: Expand decodecorpus coverage by @ephiepark (#1664)
- Add baselibs.conf: libarchive gained zstd support and provides
-32bit libraries. This means, zstd also needs to provide
-32bit libs.
- Update to new upstream release 1.4.0
- perf: level 1 compression speed was improved
- cli: added --[no-]compress-literals flag to enable or disable literal compression
- Reword 'real-time' in description by some actual statistics, because 603MB/s (lowest zstd level) is not 'real-time' for quite some applications.
- zstd 1.3.8 :
- better decompression speed on large files (+7%) and cold dictionaries (+15%)
- slightly better compression ratio at high compression modes
- new --rsyncable mode
- support decompression of empty frames into NULL (used to be an error)
- support ZSTD_CLEVEL environment variable
- --no-progress flag, preserving final summary
- various CLI fixes
- fix race condition in one-pass compression functions that could allow out of bounds write (CVE-2019-11922, boo#1142941)
- zstd 1.3.7 :
- fix ratio for dictionary compression at levels 9 and 10
- add man pages for zstdless and zstdgrep
- includes changes from zstd 1.3.6 :
- faster dictionary builder, also the new default for
--train
- previous (slower, slightly higher quality) dictionary builder to be selected via --train-cover
- Faster dictionary decompression and compression under memory limits with many dictionaries used simultaneously
- New command --adapt for compressed network piping of data adjusted to the perceived network conditions
- update to 1.3.5 :
- much faster dictionary compression
- small quality improvement for dictionary generation
- slightly improved performance at high compression levels
- automatic memory release for long duration contexts
- fix overlapLog can be manually set
- fix decoding invalid lz4 frames
- fix performance degradation for dictionary compression when using advanced API
- fix pzstd tests
- enable pzstd (parallel zstd)
- Use %license instead of %doc [boo#1082318]
- Add disk _constraints to fix ppc64le build
- Use FAT LTO objects in order to provide proper static library (boo#1133297).
Solution
Update the affected zstd packages.See Also
https://bugzilla.opensuse.org/show_bug.cgi?id=1082318
Plugin Details
Severity: High
ID: 128015
File Name: openSUSE-2019-1952.nasl
Version: 1.4
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 8/20/2019
Updated: 1/19/2021
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: High
Base Score: 8.1
Temporal Score: 7.1
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:libzstd-devel, p-cpe:/a:novell:opensuse:libzstd-devel-static, p-cpe:/a:novell:opensuse:libzstd1, p-cpe:/a:novell:opensuse:libzstd1-debuginfo, p-cpe:/a:novell:opensuse:zstd, p-cpe:/a:novell:opensuse:zstd-debuginfo, p-cpe:/a:novell:opensuse:zstd-debugsource, cpe:/o:novell:opensuse:15.0
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 8/19/2019
Vulnerability Publication Date: 7/25/2019
Reference Information
CVE: CVE-2019-11922