diff --git a/advisories/hackage/bz2/HSEC-2024-0002.md b/advisories/hackage/bz2/HSEC-2024-0002.md
new file mode 120000
index 00000000..cb2989c5
--- /dev/null
+++ b/advisories/hackage/bz2/HSEC-2024-0002.md
@@ -0,0 +1 @@
+../bzlib/HSEC-2024-0002.md
\ No newline at end of file
diff --git a/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md
new file mode 120000
index 00000000..cb2989c5
--- /dev/null
+++ b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md
@@ -0,0 +1 @@
+../bzlib/HSEC-2024-0002.md
\ No newline at end of file
diff --git a/advisories/hackage/bzlib/HSEC-2024-0002.md b/advisories/hackage/bzlib/HSEC-2024-0002.md
new file mode 100644
index 00000000..3fa19c71
--- /dev/null
+++ b/advisories/hackage/bzlib/HSEC-2024-0002.md
@@ -0,0 +1,45 @@
+```toml
+[advisory]
+id = "HSEC-2024-0002"
+cwe = [787]
+keywords = ["corruption"]
+
+[[references]]
+type = "DISCUSSION"
+url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/"
+
+[[references]]
+type = "FIX"
+url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184"
+
+[[affected]]
+package = "bzlib"
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+
+[[affected.versions]]
+introduced = "0.4"
+
+[[affected]]
+package = "bz2"
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+
+[[affected.versions]]
+introduced = "0.1.0.0"
+
+[[affected]]
+package = "bzlib-conduit"
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+
+[[affected.versions]]
+introduced = "0.1.0.0"
+```
+
+# out-of-bounds write when there are many bzip2 selectors
+
+A malicious bzip2 payload may produce a memory corruption
+resulting in remote code execution.
+Network services or command line utilities decompressing
+untrusted bzip2 payloads are affected.
+
+Note that the exploitation of this bug relies on an undefined
+behavior that appears to be handled safely by current compiler.