** Description changed: - Please consider upgrading libzip to the newest version (currently 1.20). - It comes with important changes (details here: - https://nih.at/libzip/NEWS.html) and also it's used by ark since commit - ee74c157daf3604277ffcf10d2a89b2b59556dd7: + Feature Freeze Justification + ============================ + This release fixes to two CVE's and most notably has removed its custom AES crypto implementation with using openssl libraries. It is for the security reasons I am requesting this FFe this late in the cycle. - Add libzip plugin - A new plugin for libzip was added. The plugin is only built if libzip - 1.20 or higher is installed, but is the preferred plugin for zip - archives. + Other Changes: + - A bunch of bug fixes + - A number of new features like bzip2 (this optional and could be disabled for 18.04), improved AES encryption support, some of the new features are other platforms only + - Breaks API (only 1 symbol was removed though), soname bump, so will require a mini transition, all the 23-odd reverse-depends that I count are in universe. + - they appear to have dropped their custom AES implementation in favour of using openssl (this should be a plus!) + - Build system switched to Cmake in latest release + + + Testing: + It has a fairly comprehensive test suite, but I did have to disable for now, a few problematic tests that fail in the launchpad buildd chroots, but not elsewhere like local machine or Debian schroot. + + I have run a test rebuild for all the rdepends in ppa:darkxst/libzip. + All built successfully, except for 2 packages, cbmc and plume-creater + that had unrelated fallout due to gcc7 and other packaging changes. + + Other Notes: + - There are a bunch of presumably private symbols leaked into the debian symbols file. Not ideal, but probably not the only package in the archive like that. + - I will follow up with upstream issues for the RPATH stuff, tests and symbols later + - I will also push for the update into Debian + + Build Logs: + https://launchpadlibrarian.net/363222435/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic3_BUILDING.txt.gz + + + Upstream Changelog + ================== + 1.5.0 [2018-03-11] + ================== + + * Use standard cryptographic library instead of custom AES implementation. + This also simplifies the license. + * Use `clang-format` to format the source code. + * More Windows improvements. + + 1.4.0 [2017-12-29] + ================== + + * Improve build with cmake + * Retire autoconf/automake build system + * Add `zip_source_buffer_fragment()`. + * Add support to clone unchanged beginning of archive (instead of rewriting it). + Supported for buffer sources and on Apple File System. + * Add support for Microsoft Universal Windows Platform. + + 1.3.2 [2017-11-20] + ================== + * Fix bug introduced in last: zip_t was erroneously freed if zip_close() failed. + + 1.3.1 [2017-11-19] + ================== + + * Install zipconf.h into ${PREFIX}/include + * Add zip_libzip_version() + * Fix AES tests on Linux + + 1.3.0 [2017-09-02] + ================== + + * Support bzip2 compressed zip archives + * Improve file progress callback code + * Fix zip_fdopen() + * CVE-2017-12858: Fix double free() + * CVE-2017-14107: Improve EOCD64 parsing + + 1.2.0 [2017-02-19] + ================== + + * Support for AES encryption (Winzip version), both encryption + and decryption + * Support legacy zip files with >64k entries + * Fix seeking in zip_source_file if start > 0 + * Add zip_fseek() for seeking in uncompressed data + * Add zip_ftell() for telling position in uncompressed data + * Add zip_register_progress_callback() for UI updates during zip_close() + + 1.1.3 [2016-05-28] + ================== + + * Fix build on Windows when using autoconf
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libzip in Ubuntu. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 Status in libzip package in Ubuntu: In Progress Status in libzip source package in Bionic: In Progress Bug description: Feature Freeze Justification ============================ This release fixes to two CVE's and most notably has removed its custom AES crypto implementation with using openssl libraries. It is for the security reasons I am requesting this FFe this late in the cycle. Other Changes: - A bunch of bug fixes - A number of new features like bzip2 (this optional and could be disabled for 18.04), improved AES encryption support, some of the new features are other platforms only - Breaks API (only 1 symbol was removed though), soname bump, so will require a mini transition, all the 23-odd reverse-depends that I count are in universe. - they appear to have dropped their custom AES implementation in favour of using openssl (this should be a plus!) - Build system switched to Cmake in latest release Testing: It has a fairly comprehensive test suite, but I did have to disable for now, a few problematic tests that fail in the launchpad buildd chroots, but not elsewhere like local machine or Debian schroot. I have run a test rebuild for all the rdepends in ppa:darkxst/libzip. All built successfully, except for 2 packages, cbmc and plume-creater that had unrelated fallout due to gcc7 and other packaging changes. Other Notes: - There are a bunch of presumably private symbols leaked into the debian symbols file. Not ideal, but probably not the only package in the archive like that. - I will follow up with upstream issues for the RPATH stuff, tests and symbols later - I will also push for the update into Debian Build Logs: https://launchpadlibrarian.net/363222435/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic3_BUILDING.txt.gz Upstream Changelog ================== 1.5.0 [2018-03-11] ================== * Use standard cryptographic library instead of custom AES implementation. This also simplifies the license. * Use `clang-format` to format the source code. * More Windows improvements. 1.4.0 [2017-12-29] ================== * Improve build with cmake * Retire autoconf/automake build system * Add `zip_source_buffer_fragment()`. * Add support to clone unchanged beginning of archive (instead of rewriting it). Supported for buffer sources and on Apple File System. * Add support for Microsoft Universal Windows Platform. 1.3.2 [2017-11-20] ================== * Fix bug introduced in last: zip_t was erroneously freed if zip_close() failed. 1.3.1 [2017-11-19] ================== * Install zipconf.h into ${PREFIX}/include * Add zip_libzip_version() * Fix AES tests on Linux 1.3.0 [2017-09-02] ================== * Support bzip2 compressed zip archives * Improve file progress callback code * Fix zip_fdopen() * CVE-2017-12858: Fix double free() * CVE-2017-14107: Improve EOCD64 parsing 1.2.0 [2017-02-19] ================== * Support for AES encryption (Winzip version), both encryption and decryption * Support legacy zip files with >64k entries * Fix seeking in zip_source_file if start > 0 * Add zip_fseek() for seeking in uncompressed data * Add zip_ftell() for telling position in uncompressed data * Add zip_register_progress_callback() for UI updates during zip_close() 1.1.3 [2016-05-28] ================== * Fix build on Windows when using autoconf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp