Debian Package Tracker
Register | Log in
Subscribe

golang-github-ulikunitz-xz

Pure golang package for reading and writing xz-compressed files

Choose email to subscribe with

general
  • source: golang-github-ulikunitz-xz (main)
  • version: 0.5.15-1
  • maintainer: Debian Go Packaging Team (DMD)
  • uploaders: Reinhard Tartler [DMD] – Anthony Fok [DMD]
  • arch: all
  • std-ver: 4.5.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.5.6-2
  • oldstable: 0.5.6-2
  • stable: 0.5.6-2
  • testing: 0.5.15-1
  • unstable: 0.5.15-1
versioned links
  • 0.5.6-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.5.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • golang-github-ulikunitz-xz-dev
action needed
1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:
  • CVE-2025-58058: xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Created: 2025-08-30 Last update: 2025-09-04 22:01
lintian reports 3 warnings normal
Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2025-09-02 Last update: 2025-09-02 04:33
1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:
  • CVE-2025-58058: (needs triaging) xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-08-30 Last update: 2025-09-04 22:01
1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:
  • CVE-2025-58058: (needs triaging) xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-08-30 Last update: 2025-09-04 22:01
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.5.0).
Created: 2019-09-29 Last update: 2025-09-01 19:36
news
[rss feed]
  • [2025-09-04] golang-github-ulikunitz-xz 0.5.15-1 MIGRATED to testing (Debian testing watch)
  • [2025-09-01] Accepted golang-github-ulikunitz-xz 0.5.15-1 (source) into unstable (Dylan Aïssi)
  • [2024-08-09] Accepted golang-github-ulikunitz-xz 0.5.12-1 (source) into experimental (Reinhard Tartler)
  • [2021-05-21] golang-github-ulikunitz-xz 0.5.6-2 MIGRATED to testing (Debian testing watch)
  • [2021-05-16] Accepted golang-github-ulikunitz-xz 0.5.6-2 (source) into unstable (Shengjing Zhu)
  • [2019-08-27] golang-github-ulikunitz-xz 0.5.6-1 MIGRATED to testing (Debian testing watch)
  • [2019-08-25] Accepted golang-github-ulikunitz-xz 0.5.6-1 (source) into unstable (Anthony Fok)
  • [2019-02-14] Accepted golang-github-ulikunitz-xz 0.5.5-1 (source all) into unstable, unstable (Reinhard Tartler)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian (0, 3)
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.5.6-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing