#1039114 python3-zstd uses a vendored copy of libzstd

Package:
python3-zstd
Source:
python3-zstd
Description:
python bindings to Yann Collet ZSTD compression library
Submitter:
Adrian Bunk
Date:
2024-02-25 16:09:03 UTC
Severity:
normal
#1039114#5
Date:
2023-06-25 20:22:15 UTC
From:
To:
python3-zstd uses a vendored copy of libzstd, and might
therefore have unfixed CVEs:
https://security-tracker.debian.org/tracker/source-package/libzstd

Linking with the system libzstd (as is supported by the upstream
build system) works for me, please consider doing that so that
python3-zstd will benefit from security fixes to src:libzstd.
#1039114#8
Date:
2024-02-25 15:27:12 UTC
From:
To:
Hello,

Bug #1039114 in python-zstd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/packages/python-zstd/-/commit/471037885fbe0db0046116ac3039f8b03e2342a2
------------------------------------------------------------------------
build with external libzstd (Closes: #1039114)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1039114
#1039114#15
Date:
2024-02-25 16:07:25 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
python-zstd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1039114@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexandre Detiste <tchet@debian.org> (supplier of updated python-zstd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 25 Feb 2024 16:26:24 +0100
Source: python-zstd
Architecture: source
Version: 1.5.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Alexandre Detiste <tchet@debian.org>
Closes: 1039114
Changes:
 python-zstd (1.5.5.1-1) unstable; urgency=medium
 .
   * Team Upload
   * New upstream version 1.5.5.1
   * use new dh-sequence-python3
   * build with external libzstd (Closes: #1039114)
   * remove extraneous build dep on python3-mock
   * clean cache files
 .
   [ Debian Janitor ]
   * Trim trailing whitespace.
   * Update standards version to 4.6.1, no changes needed.
Checksums-Sha1:
 fc2acab2a44fecbe37210b11edd885b738718d3e 2145 python-zstd_1.5.5.1-1.dsc
 f97f7cbba46eb3d5c20166e3e3d67ddbce0dd36f 1106585 python-zstd_1.5.5.1.orig.tar.gz
 786987bff8ba731daed2bd76779550be77e1acdb 3024 python-zstd_1.5.5.1-1.debian.tar.xz
 363f1b61b313b1c3fea9ba1463bbb93ceafda757 7789 python-zstd_1.5.5.1-1_source.buildinfo
Checksums-Sha256:
 e9c370f16fd6cbd3738b4838e38599f294243e7a1bcfad21af63d19edbb4eefe 2145 python-zstd_1.5.5.1-1.dsc
 1ef980abf0e1e072b028d2d76ef95b476632651c96225cf30b619c6eef625672 1106585 python-zstd_1.5.5.1.orig.tar.gz
 911b6234905779663aed49e3868a11bb24e13a6509a0d95b4bc5afa9dbdcfdcf 3024 python-zstd_1.5.5.1-1.debian.tar.xz
 60d3cf2e0c944e0102755fcc7f419611ba33e8191575171f8a8ac24598d1c257 7789 python-zstd_1.5.5.1-1_source.buildinfo
Files:
 d3b8314cab7441a94e4f2616b5e0a12d 2145 python optional python-zstd_1.5.5.1-1.dsc
 479b302e5e269ced1efadad51dc3b399 1106585 python optional python-zstd_1.5.5.1.orig.tar.gz
 c157dd40738433ff2f073804af0c591c 3024 python optional python-zstd_1.5.5.1-1.debian.tar.xz
 8436ca9a9904946cb7bae94f3cc3ab04 7789 python optional python-zstd_1.5.5.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEj23hBDd/OxHnQXSHMfMURUShdBoFAmXbXg0RHHRjaGV0QGRl
Ymlhbi5vcmcACgkQMfMURUShdBqAmRAAnO2G9M8/FfrjNzLMVZFkgDc0842tPyyU
0zrQaWznBlLL5eMZr7jiOESikeIg0t6ugkuQuPgNWw0Xtl8xAh5RxQecpAQ20L1G
oThRe8+exCSQjBu/8Yktda/e7RIviKOKF2Z1ubSnk1GI6V1b4jX7/gioQPon+USC
GxnzChDVM7lGh+EU79ZQTYUGuDG8RY5BLF6822lbcHZH2C7QDuQmtgTfzb2N8k8z
0qD9sV8kQYtbkiDfw4Y8Xo3nKjy833jasp9ayzRLc1Oudxyv2v5KFDOnhc7BuRLa
pORPFH7m44giLAj/iX5pjpL/oLKvZfATQDvlQ8C6TsVWt2hi6biw22jytZ4oCuUt
X0FzoZBNW0V2nGrs25qSMl/KPI8+NXyhbaUnuhPzF3JVx5qHD2+1CUvrJCaoo8x9
E6bbS4jQ3P/N5sPUlL/b+gmfQIoEXWjAO/u+NukAZgCDTOd8uqoLf6hRIqkEyRYC
NBWeI2NneAcCAvazEmgx5gyniZ8QfWoyCS2QMRtVkWRro66XrjsMFTcKdYSRzcaX
SI6MOhtCsk5DBs5sVNgQFY69RI7CeUfHEF5l34ikBmLlxQlSfJXOuRfyfmCcVALa
/b56Jwwh3ha2CDe9QeT+uBJdgr8Jks27Vf4PdEJRlaBlXFmZEYG78SCdwoZUr2Ph
20r+VDHSwTA=
=VoRQ
-----END PGP SIGNATURE-----