On 3/29/24 10:52 PM, Michael Olbrich wrote: > On Sun, Feb 25, 2024 at 03:35:13PM +0100, Christian Melki wrote: >> https://github.com/tukaani-project/xz/releases/tag/v5.6.0 >> https://github.com/tukaani-project/xz/releases/tag/v5.5.2beta >> https://github.com/tukaani-project/xz/releases/tag/v5.5.1alpha >> https://github.com/tukaani-project/xz/releases/tag/v5.4.6 >> https://github.com/tukaani-project/xz/releases/tag/v5.4.5 >> >> * License conditions changed! The majority of XZ >> that was public domain is now re-released under the 0-clause BSD license. >> Otherwise, the other parts still remains the same. >> The sum of XZ licensing is pretty complex however. >> >> * URL changed. XZ is now hosted on github. >> >> * Fix a few options. > > FYI, I reverted this for now. It seems the release tarballs are > compromised[1]. From what I've read so far, PTXdist is probably not > affected, since we don't carry the relevant openssh patches. > But the next PTXdist release will happen pretty soon, so we'll stick to the > old version for now. We can update once upstream is sorted out. > > Regards, > Michael > > [1] https://www.cve.org/CVERecord?id=CVE-2024-3094 > >
Yeah. I just saw the news. I would suspect the actor has tried to infiltrate other projects as well Everything that account has touched probably needs to be vetted. https://github.com/JiaT75?tab=repositories Tnx for the heads up. Regards, C >> Signed-off-by: Christian Melki <christian.me...@t2data.com> >> --- >> rules/xz.make | 17 ++++++++++------- >> 1 file changed, 10 insertions(+), 7 deletions(-) >> >> diff --git a/rules/xz.make b/rules/xz.make >> index f24a2ac03..51490b2ce 100644 >> --- a/rules/xz.make >> +++ b/rules/xz.make >> @@ -14,16 +14,16 @@ PACKAGES-$(PTXCONF_XZ) += xz >> # >> # Paths and names >> # >> -XZ_VERSION := 5.4.4 >> -XZ_MD5 := fbb849a27e266964aefe26bad508144f >> +XZ_VERSION := 5.6.0 >> +XZ_MD5 := cfb1afdfcfeca02f7677b1b401bc536e >> XZ := xz-$(XZ_VERSION) >> -XZ_SUFFIX := tar.bz2 >> -XZ_URL := https://tukaani.org/xz/$(XZ).$(XZ_SUFFIX) >> +XZ_SUFFIX := tar.xz >> +XZ_URL := >> https://github.com/tukaani-project/xz/releases/download/v$(XZ_VERSION)/$(XZ).$(XZ_SUFFIX) >> XZ_SOURCE := $(SRCDIR)/$(XZ).$(XZ_SUFFIX) >> XZ_DIR := $(BUILDDIR)/$(XZ) >> -XZ_LICENSE := public_domain AND LGPL-2.1-or-later AND GPL-2.0-or-later AND >> GPL-3.0-or-later >> +XZ_LICENSE := public_domain AND 0BSD AND LGPL-2.1-or-later AND >> GPL-2.0-or-later AND GPL-3.0-or-later >> XZ_LICENSE_FILES := \ >> - file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \ >> + file://COPYING;md5=3ef4de063517b8d33e97bbb87a3339ee \ >> file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ >> file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \ >> file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c >> @@ -44,6 +44,7 @@ XZ_CONF_OPT := \ >> --disable-lzip-decoder \ >> --enable-assembler \ >> --enable-clmul-crc \ >> + --enable-arm64-crc32 \ >> --disable-small \ >> --enable-threads \ >> --$(call ptx/endis,PTXCONF_XZ_TOOLS)-xz \ >> @@ -60,9 +61,11 @@ XZ_CONF_OPT := \ >> --disable-nls \ >> --disable-rpath \ >> $(GLOBAL_LARGE_FILE_OPTION) \ >> + --enable-ifunc \ >> --enable-unaligned-access=auto \ >> --disable-unsafe-type-punning \ >> - --disable-werror >> + --disable-werror \ >> + --$(call ptx/endis, PTXDIST_Y2038)-year2038 >> >> # >> ---------------------------------------------------------------------------- >> # Target-Install >> -- >> 2.34.1 >> >> >> >