[Bug 1755310] Re: MIR libzstd

[Steve Beattie]

Ack from the Ubuntu Security team for moving libztsd into main in
xenial.

(There is a third CVE believed to be affecting libzstd/xenial as well,
CVE-2019-11922)

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11922

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libzstd in Ubuntu.
https://bugs.launchpad.net/bugs/1755310

Title:
  MIR libzstd

Status in libzstd package in Ubuntu:
  Fix Released
Status in libzstd source package in Xenial:
  New

Bug description:
  [Availability]

   * In Universe, on all supported arches, since xenial

  [Rationale]

   * In use by btrfs-progs[-udeb] in main
   * To be used by apt & dpkg
   * Already in use by the kernel for initramfs compression, however that is using in-kernel implementation

  [Security]

   * https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zstd -> none
   * Hardenening flags is available
   * There are some compiler warnings

  [Quality assurance]

   * Maintained in debian med team
   * xnox has upload rights, and fixed up for it to be Multi-arch sane
   * testsuite is enabled and passing
   * lacks autopkgtests, could be added to run the test-suite

  [Dependencies]

   * Currently has only glibc as depedency
   * Command line tool can be compiled with gzip (already eanbled), xz/lzma/lz4 (not enabled), thus making the zstd util to cover all cases of compress/decompress/cat/less for any of these algos.

  [Standards compliance]

   * Complies with debian packaging guidelines
   * Currently does not build reproducibly

  [Maintenance]

   * Med, D-I teams in Debian, and foundations in Ubuntu

  [Background information]

   * A new compression algorithm from facebook, which is comparable to
  gzip, yet faster / less resource intensive than xz.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libzstd/+bug/1755310/+subscriptions