I have created a transition tracker (copied from Debian) http://people.canonical.com/~ubuntu-archive/transitions/html/libzip.html
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libzip in Ubuntu. https://bugs.launchpad.net/bugs/1674057 Title: [FFe] upgrade libzip to version 1.5.0 Status in libzip package in Ubuntu: New Status in libzip package in Debian: New Bug description: Feature Freeze Justification ============================ This release fixes to two CVE's and most notably has removed its custom AES crypto implementation with using openssl libraries. It is for the security reasons I am requesting this FFe this late in the cycle. Other Changes: - A bunch of bug fixes - A number of new features like bzip2 (this optional and could be disabled for 18.04), improved AES encryption support, some of the new features are other platforms only - Breaks API (only 1 symbol was removed though), soname bump, so will require a mini transition, all the 24 reverse-depends that I count are in universe. Some are seeded in flavours (see below) - Build system switched to Cmake in latest release - Ark will build with libzip support where it didnt before Testing: It has a fairly comprehensive test suite, all tests are now passing. I have run a test rebuild for all the rdepends in ppa:darkxst/libzip. All built successfully, except for 2 packages, cbmc and plume-creater that had unrelated fallout due to gcc7 and other packaging changes (fixed on PPA). Other Notes: - Various fixes (rpath, man page syntax, leaky private symbols and pkg-config fixes) have been committed upstream and will be released soon in a 1.5.1 release, cherry-picked patches for now - I will also push for the update into Debian Build Logs: https://launchpadlibrarian.net/363623662/buildlog_ubuntu-bionic-amd64.libzip_1.5.0-0ubuntu1~bionic6_BUILDING.txt.gz Reverse-depends of libzip4 that are seeded: ark (from ark) is seeded in: kubuntu: daily-live lubuntu-next: daily-live ideviceinstaller is seeded in: ubuntu-mate: daily-live libepub0 is seeded in: kubuntu: daily-live ubuntustudio: dvd libpstoedit0c2a is seeded in: kubuntu: supported okular-extra-backends is seeded in: kubuntu: daily-live Upstream Changelog ================== 1.5.0 [2018-03-11] ================== * Use standard cryptographic library instead of custom AES implementation. This also simplifies the license. * Use `clang-format` to format the source code. * More Windows improvements. 1.4.0 [2017-12-29] ================== * Improve build with cmake * Retire autoconf/automake build system * Add `zip_source_buffer_fragment()`. * Add support to clone unchanged beginning of archive (instead of rewriting it). Supported for buffer sources and on Apple File System. * Add support for Microsoft Universal Windows Platform. 1.3.2 [2017-11-20] ================== * Fix bug introduced in last: zip_t was erroneously freed if zip_close() failed. 1.3.1 [2017-11-19] ================== * Install zipconf.h into ${PREFIX}/include * Add zip_libzip_version() * Fix AES tests on Linux 1.3.0 [2017-09-02] ================== * Support bzip2 compressed zip archives * Improve file progress callback code * Fix zip_fdopen() * CVE-2017-12858: Fix double free() * CVE-2017-14107: Improve EOCD64 parsing 1.2.0 [2017-02-19] ================== * Support for AES encryption (Winzip version), both encryption and decryption * Support legacy zip files with >64k entries * Fix seeking in zip_source_file if start > 0 * Add zip_fseek() for seeking in uncompressed data * Add zip_ftell() for telling position in uncompressed data * Add zip_register_progress_callback() for UI updates during zip_close() 1.1.3 [2016-05-28] ================== * Fix build on Windows when using autoconf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libzip/+bug/1674057/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
