Releases retrieved: 5.2.13, 5.4.7, 5.6.2 Upstream release that is considered latest: 5.6.2 Current version/release in rawhide: 5.4.6-3.fc41 URL: https://tukaani.org/xz/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/5277/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/xz
Created attachment 2035604 [details] Update to 5.6.2 (#2283854)
the-new-hotness/release-monitoring.org's scratch build of xz-5.6.2-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=118250352
https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS 2 XZ Utils Release Notes 3 ====================== 4 5 5.6.2 (2024-05-29) 6 7 * Remove the backdoor (CVE-2024-3094). 8 9 * Not changed: Memory sanitizer (MSAN) has a false positive 10 in the CRC CLMUL code which also makes OSS Fuzz unhappy. 11 Valgrind is smarter and doesn't complain. 12 13 A revision to the CLMUL code is coming anyway and this issue 14 will be cleaned up as part of it. It won't be backported to 15 5.6.x or 5.4.x because the old code isn't wrong. There is 16 no reason to risk introducing regressions in old branches 17 just to silence a false positive. 18 19 * liblzma: 20 21 - lzma_index_decoder() and lzma_index_buffer_decode(): Fix 22 a missing output pointer initialization (*i = NULL) if the 23 functions are called with invalid arguments. The API docs 24 say that such an initialization is always done. In practice 25 this matters very little because the problem can only occur 26 if the calling application has a bug and these functions 27 return LZMA_PROG_ERROR. 28 29 - lzma_str_to_filters(): Fix a missing output pointer 30 initialization (*error_pos = 0). This is very similar 31 to the fix above. 32 33 - Fix C standard conformance with function pointer types. 34 35 - Remove GNU indirect function (IFUNC) support. This is *NOT* 36 done for security reasons even though the backdoor relied on 37 this code. The performance benefits of IFUNC are too tiny in 38 this project to make the extra complexity worth it. 39 40 - FreeBSD on ARM64: Add error checking to CRC32 instruction 41 support detection. 42 43 - Fix building with NVIDIA HPC SDK. 44 45 * xz: 46 47 - Fix a C standard conformance issue in --block-list parsing 48 (arithmetic on a null pointer). 49 50 - Fix a warning from GNU groff when processing the man page: 51 "warning: cannot select font 'CW'" 52 53 * xzdec: Add support for Linux Landlock ABI version 4. xz already 54 had the v3-to-v4 change but it had been forgotten from xzdec. 55 56 * Autotools-based build system (configure): 57 58 - Symbol versioning variant can now be overridden with 59 --enable-symbol-versions. Documentation in INSTALL was 60 updated to match. 61 62 - Add new configure option --enable-doxygen to enable 63 generation and installation of the liblzma API documentation 64 using Doxygen. Documentation in INSTALL and PACKAGERS was 65 updated to match. 66 67 CMake: 68 69 - Fix detection of Linux Landlock support. The detection code 70 in CMakeLists.txt had been sabotaged. 71 72 - Disable symbol versioning on non-glibc Linux to match what 73 the Autotools build does. For example, symbol versioning 74 isn't enabled with musl. 75 76 - Symbol versioning variant can now be overridden by setting 77 SYMBOL_VERSIONING to "OFF", "generic", or "linux". 78 79 - Add support for all tests in typical build configurations. 80 Now the only difference to the tests coverage to Autotools 81 is that CMake-based build will skip more tests if features 82 are disabled. Such builds are only for special cases like 83 embedded systems. 84 85 - Separate the CMake code for the tests into tests/tests.cmake. 86 It is used conditionally, thus it is possible to 87 88 rm -rf tests 89 90 and the CMake-based build will still work normally except 91 that no tests are then available. 92 93 - Add a option ENABLE_DOXYGEN to enable generation and 94 installation of the liblzma API documentation using Doxygen. 95 96 * Documentation: 97 98 - Omit the Doxygen-generated liblzma API documentation from the 99 package. Instead, the generation and installation of the API 100 docs can be enabled with a configure or CMake option if 101 Doxygen is available. 102 103 - Remove the XZ logo which was used in the API documentation. 104 The logo has been retired and isn't used by the project 105 anymore. However, it's OK to use it in contexts that refer 106 to the backdoor incident. 107 108 - Remove the PDF versions of the man pages from the source 109 package. These existed primarily for users of operating 110 systems which don't come with tools to render man page 111 source files. The plain text versions are still included 112 in doc/man/txt. PDF files can still be generated to doc/man, 113 if the required tools are available, using "make pdf" after 114 running "configure". 115 116 - Update home page URLs back to their old locations on 117 tukaani.org. 118 119 - Update maintainer info. 120 121 * Tests: 122 123 - In tests/files/README, explain how to recreate the ARM64 124 test files. 125 126 - Remove two tests that used tiny x86 and SPARC object files 127 as the input files. The matching .c file was included but 128 the object files aren't easy to reproduce. The test cases 129 weren't great anyway; they were from the early days (2009) 130 of the project when the test suite had very few tests. 131 132 - Improve a few tests. 133
(In reply to Upstream Release Monitoring from comment #0) > Releases retrieved: 5.2.13, 5.4.7, 5.6.2 > Upstream release that is considered latest: 5.6.2 > Current version/release in rawhide: 5.4.6-3.fc41 > URL: https://tukaani.org/xz/ > Based on the information from Anitya: https://release-monitoring.org/project/5277/ > To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/xz 5.4 branch is still maintained. Release Notes 5.4.7 (2024-05-29): https://git.tukaani.org/?p=xz.git;a=blob_plain;f=NEWS;hb=refs/heads/v5.4
https://koji.fedoraproject.org/koji/taskinfo?taskID=119339037
FEDORA-2024-9f4af7c165 (xz-5.6.2-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-9f4af7c165
As is traditional, I forgot to do the perl-Compress-Raw-Lzma update, but I'll do that as soon as the package is moved to Rawhide.
FEDORA-2024-9f4af7c165 (xz-5.6.2-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.