golang-github-ulikunitz-xz - Debian Package Tracker

general

versioned links

0.5.6-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.5.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

action needed

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-02 Last update: 2025-09-02 04:33

1 low-priority security issue in trixie low

1 issue left for the package maintainer to handle:

CVE-2025-58058: (needs triaging) xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-08-30 Last update: 2025-09-08 01:32

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2025-58058: (needs triaging) xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-08-30 Last update: 2025-09-08 01:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.5.0).

Created: 2019-09-29 Last update: 2025-09-01 19:36

[2025-09-04] golang-github-ulikunitz-xz 0.5.15-1 MIGRATED to testing (Debian testing watch)
[2025-09-01] Accepted golang-github-ulikunitz-xz 0.5.15-1 (source) into unstable (Dylan Aïssi)
[2024-08-09] Accepted golang-github-ulikunitz-xz 0.5.12-1 (source) into experimental (Reinhard Tartler)
[2021-05-21] golang-github-ulikunitz-xz 0.5.6-2 MIGRATED to testing (Debian testing watch)
[2021-05-16] Accepted golang-github-ulikunitz-xz 0.5.6-2 (source) into unstable (Shengjing Zhu)
[2019-08-27] golang-github-ulikunitz-xz 0.5.6-1 MIGRATED to testing (Debian testing watch)
[2019-08-25] Accepted golang-github-ulikunitz-xz 0.5.6-1 (source) into unstable (Anthony Fok)
[2019-02-14] Accepted golang-github-ulikunitz-xz 0.5.5-1 (source all) into unstable, unstable (Reinhard Tartler)

bugs [bug history graph]

links

ubuntu