rust-lz4-flex - Debian Package Tracker

general

versioned links

0.11.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.13.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

action needed

A new upstream version is available: 0.13.1 high

A new upstream version 0.13.1 is available, you should consider packaging it.

Created: 2026-05-12 Last update: 2026-05-15 07:30

29 open merge requests in Salsa normal

There are 29 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2026-05-11 18:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-18 Last update: 2026-03-18 18:31

1 low-priority security issue in trixie low

1 issue left for the package maintainer to handle:

CVE-2026-32829: (needs triaging) lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-03-17 Last update: 2026-05-07 14:03

debian/patches: 3 patches to forward upstream low

Among the 3 debian patches available in version 0.13.0-1 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-10-20 Last update: 2026-03-17 23:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

[2026-03-21] rust-lz4-flex 0.13.0-1 MIGRATED to testing (Debian testing watch)
[2026-03-17] Accepted rust-lz4-flex 0.13.0-1 (source) into unstable (kpcyrd)
[2025-10-22] rust-lz4-flex 0.11.3-2 MIGRATED to testing (Debian testing watch)
[2025-10-19] Accepted rust-lz4-flex 0.11.3-2 (source) into unstable (NoisyCoil) (signed by: capitol@debian.org)
[2024-12-16] rust-lz4-flex 0.11.3-1 MIGRATED to testing (Debian testing watch)
[2024-12-11] Accepted rust-lz4-flex 0.11.3-1 (source) into unstable (kpcyrd)
[2023-07-17] rust-lz4-flex 0.11.1-1 MIGRATED to testing (Debian testing watch)
[2023-07-11] Accepted rust-lz4-flex 0.11.1-1 (amd64 source) into unstable (Debian FTP Masters) (signed by: Sylvestre Ledru)

bugs [bug history graph]

links

ubuntu