diff mbox series

[36/36] xz: upgrade 5.4.6 -> 5.6.1

Message ID 1710313714-12541-36-git-send-email-wangmy@fujitsu.com
State New
Headers show
Series [01/36] debianutils: upgrade 5.16 -> 5.17 | expand

Commit Message

Mingyu Wang (Fujitsu) March 13, 2024, 7:08 a.m. UTC 
From: Wang Mingyu <wangmy@fujitsu.com>

License-Update:
================
*COPYING:
 Add the license for the XZ logo.
 Change most public domain parts to 0BSD.
 Update COPYING about the man pages of the scripts.
*getopt.c
 MSVC: Don't #include <unistd.h>.
 lib/getopt*.c: Include <config.h> only HAVE_CONFIG_H is defined.
 lib: Update getopt.c from Gnulib with modifications.
 lib: Silence -Wsign-conversion in getopt.c.
 Add SPDX license identifiers to GPL, LGPL, and FSFULLR files.

Changelog:
=============
* liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
  with GCC.
* xz: Changed the messages for thread reduction due to memory
  constraints to only appear under the highest verbosity level.
* Build:
    - Fixed a build issue when the header file <linux/landlock.h>
      was present on the system but the Landlock system calls were
      not defined in <sys/syscall.h>.
    - The CMake build now warns and disables NLS if both gettext
      tools and pre-created .gmo files are missing. Previously,
      this caused the CMake build to fail.
* Minor improvements to man pages.
* Minor improvements to tests.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 .../xz/{xz_5.4.6.bb => xz_5.6.1.bb}           | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)
 rename meta/recipes-extended/xz/{xz_5.4.6.bb => xz_5.6.1.bb} (79%)

Comments

Richard Purdie March 14, 2024, 1:40 p.m. UTC | #1 
On Wed, 2024-03-13 at 15:08 +0800, wangmy via lists.openembedded.org
wrote:
> From: Wang Mingyu <wangmy@fujitsu.com>
> 
> License-Update:
> ================
> *COPYING:
>  Add the license for the XZ logo.
>  Change most public domain parts to 0BSD.
>  Update COPYING about the man pages of the scripts.
> *getopt.c
>  MSVC: Don't #include <unistd.h>.
>  lib/getopt*.c: Include <config.h> only HAVE_CONFIG_H is defined.
>  lib: Update getopt.c from Gnulib with modifications.
>  lib: Silence -Wsign-conversion in getopt.c.
>  Add SPDX license identifiers to GPL, LGPL, and FSFULLR files.
> 
> Changelog:
> =============
> * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
>   with GCC.
> * xz: Changed the messages for thread reduction due to memory
>   constraints to only appear under the highest verbosity level.
> * Build:
>     - Fixed a build issue when the header file <linux/landlock.h>
>       was present on the system but the Landlock system calls were
>       not defined in <sys/syscall.h>.
>     - The CMake build now warns and disables NLS if both gettext
>       tools and pre-created .gmo files are missing. Previously,
>       this caused the CMake build to fail.
> * Minor improvements to man pages.
> * Minor improvements to tests.


https://autobuilder.yoctoproject.org/typhoon/#/builders/48/builds/8737

Cheers,

Richard
Mark Hatle March 30, 2024, 1:03 a.m. UTC | #2 
I know this request is a week or so old..

But do NOT upgrade to 'xz' 5.6.0 or 5.6.1.  It has been compromised:

https://www.openwall.com/lists/oss-security/2024/03/29/4

--Mark

On 3/14/24 8:40 AM, Richard Purdie wrote:
> On Wed, 2024-03-13 at 15:08 +0800, wangmy via lists.openembedded.org
> wrote:
>> From: Wang Mingyu <wangmy@fujitsu.com>
>>
>> License-Update:
>> ================
>> *COPYING:
>>   Add the license for the XZ logo.
>>   Change most public domain parts to 0BSD.
>>   Update COPYING about the man pages of the scripts.
>> *getopt.c
>>   MSVC: Don't #include <unistd.h>.
>>   lib/getopt*.c: Include <config.h> only HAVE_CONFIG_H is defined.
>>   lib: Update getopt.c from Gnulib with modifications.
>>   lib: Silence -Wsign-conversion in getopt.c.
>>   Add SPDX license identifiers to GPL, LGPL, and FSFULLR files.
>>
>> Changelog:
>> =============
>> * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
>>    with GCC.
>> * xz: Changed the messages for thread reduction due to memory
>>    constraints to only appear under the highest verbosity level.
>> * Build:
>>      - Fixed a build issue when the header file <linux/landlock.h>
>>        was present on the system but the Landlock system calls were
>>        not defined in <sys/syscall.h>.
>>      - The CMake build now warns and disables NLS if both gettext
>>        tools and pre-created .gmo files are missing. Previously,
>>        this caused the CMake build to fail.
>> * Minor improvements to man pages.
>> * Minor improvements to tests.
> 
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/48/builds/8737
> 
> Cheers,
> 
> Richard
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#197107): https://lists.openembedded.org/g/openembedded-core/message/197107
> Mute This Topic: https://lists.openembedded.org/mt/104900983/3616948
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mark.hatle@kernel.crashing.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Marta Rybczynska March 30, 2024, 12:08 p.m. UTC | #3 
Absolutely confirm. DO NOT UPDATE

Marta

On Sat, 30 Mar 2024, 02:04 Mark Hatle, <mark.hatle@kernel.crashing.org>
wrote:

> I know this request is a week or so old..
>
> But do NOT upgrade to 'xz' 5.6.0 or 5.6.1.  It has been compromised:
>
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> --Mark
>
> On 3/14/24 8:40 AM, Richard Purdie wrote:
> > On Wed, 2024-03-13 at 15:08 +0800, wangmy via lists.openembedded.org
> > wrote:
> >> From: Wang Mingyu <wangmy@fujitsu.com>
> >>
> >> License-Update:
> >> ================
> >> *COPYING:
> >>   Add the license for the XZ logo.
> >>   Change most public domain parts to 0BSD.
> >>   Update COPYING about the man pages of the scripts.
> >> *getopt.c
> >>   MSVC: Don't #include <unistd.h>.
> >>   lib/getopt*.c: Include <config.h> only HAVE_CONFIG_H is defined.
> >>   lib: Update getopt.c from Gnulib with modifications.
> >>   lib: Silence -Wsign-conversion in getopt.c.
> >>   Add SPDX license identifiers to GPL, LGPL, and FSFULLR files.
> >>
> >> Changelog:
> >> =============
> >> * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
> >>    with GCC.
> >> * xz: Changed the messages for thread reduction due to memory
> >>    constraints to only appear under the highest verbosity level.
> >> * Build:
> >>      - Fixed a build issue when the header file <linux/landlock.h>
> >>        was present on the system but the Landlock system calls were
> >>        not defined in <sys/syscall.h>.
> >>      - The CMake build now warns and disables NLS if both gettext
> >>        tools and pre-created .gmo files are missing. Previously,
> >>        this caused the CMake build to fail.
> >> * Minor improvements to man pages.
> >> * Minor improvements to tests.
> >
> >
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/48/builds/8737
> >
> > Cheers,
> >
> > Richard
> >
> >
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#197643):
> https://lists.openembedded.org/g/openembedded-core/message/197643
> Mute This Topic: https://lists.openembedded.org/mt/105226831/5827677
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> rybczynska@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Richard Purdie March 30, 2024, 12:26 p.m. UTC | #4 
On Sat, 2024-03-30 at 13:08 +0100, Marta Rybczynska wrote:
> Absolutely confirm. DO NOT UPDATE
> 
> Marta
> 
> On Sat, 30 Mar 2024, 02:04 Mark Hatle,
> <mark.hatle@kernel.crashing.org> wrote:
> > I know this request is a week or so old..
> > 
> > But do NOT upgrade to 'xz' 5.6.0 or 5.6.1.  It has been
> > compromised:
> > 
> > https://www.openwall.com/lists/oss-security/2024/03/29/4
> > 
> > --Mark

We're not going to. The upgrade was already dropped after it failed
build testing. I do wonder why it failed.

https://autobuilder.yoctoproject.org/typhoon/#/builders/48/builds/8737

I've ensured the sources were removed from our mirrors too.

Cheers,

Richard
Alexander Kanavin March 30, 2024, 12:52 p.m. UTC | #5 
I’m slightly worried. Does this compromise build systems (given that back
door was injected into autoconf scripts) or only systems where xz binaries
are installed?

Ale

On Sat 30. Mar 2024 at 13.26, Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Sat, 2024-03-30 at 13:08 +0100, Marta Rybczynska wrote:
> > Absolutely confirm. DO NOT UPDATE
> >
> > Marta
> >
> > On Sat, 30 Mar 2024, 02:04 Mark Hatle,
> > <mark.hatle@kernel.crashing.org> wrote:
> > > I know this request is a week or so old..
> > >
> > > But do NOT upgrade to 'xz' 5.6.0 or 5.6.1.  It has been
> > > compromised:
> > >
> > > https://www.openwall.com/lists/oss-security/2024/03/29/4
> > >
> > > --Mark
>
> We're not going to. The upgrade was already dropped after it failed
> build testing. I do wonder why it failed.
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/48/builds/8737
>
> I've ensured the sources were removed from our mirrors too.
>
> Cheers,
>
> Richard
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#197649):
> https://lists.openembedded.org/g/openembedded-core/message/197649
> Mute This Topic: https://lists.openembedded.org/mt/105226831/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Martin Jansa March 30, 2024, 1:06 p.m. UTC | #6 
From what is publicly known it injected malicious code (through m4
macro using payload hidden in obfuscated compressed test file) into
built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in
sshd (when sshd is built with patch adding systemd notifications which
brings liblzma dependency to sshd e.g. on debian and ubuntu based
systems).

The build systems which just built this xz version shouldn't be
affected (as it won't be using the liblzma.so from the OE build on the
host).

This publicly known part should be OK for OE, but it's right to be
worried about the other things which aren't known (not only from these
guys or from xz project).

Regards,

On Sat, Mar 30, 2024 at 1:52 PM Alexander Kanavin
<alex.kanavin@gmail.com> wrote:
>
> I’m slightly worried. Does this compromise build systems (given that back door was injected into autoconf scripts) or only systems where xz binaries are installed?
>
> Ale
>
> On Sat 30. Mar 2024 at 13.26, Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
>>
>> On Sat, 2024-03-30 at 13:08 +0100, Marta Rybczynska wrote:
>> > Absolutely confirm. DO NOT UPDATE
>> >
>> > Marta
>> >
>> > On Sat, 30 Mar 2024, 02:04 Mark Hatle,
>> > <mark.hatle@kernel.crashing.org> wrote:
>> > > I know this request is a week or so old..
>> > >
>> > > But do NOT upgrade to 'xz' 5.6.0 or 5.6.1.  It has been
>> > > compromised:
>> > >
>> > > https://www.openwall.com/lists/oss-security/2024/03/29/4
>> > >
>> > > --Mark
>>
>> We're not going to. The upgrade was already dropped after it failed
>> build testing. I do wonder why it failed.
>>
>> https://autobuilder.yoctoproject.org/typhoon/#/builders/48/builds/8737
>>
>> I've ensured the sources were removed from our mirrors too.
>>
>> Cheers,
>>
>> Richard
>>
>>
>>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#197650): https://lists.openembedded.org/g/openembedded-core/message/197650
> Mute This Topic: https://lists.openembedded.org/mt/105226831/3617156
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [martin.jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Richard Purdie March 30, 2024, 4:18 p.m. UTC | #7 
On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote:
> From what is publicly known it injected malicious code (through m4
> macro using payload hidden in obfuscated compressed test file) into
> built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in
> sshd (when sshd is built with patch adding systemd notifications
> which brings liblzma dependency to sshd e.g. on debian and ubuntu
> based systems).
> 
> The build systems which just built this xz version shouldn't be
> affected (as it won't be using the liblzma.so from the OE build on
> the host).
> 
> This publicly known part should be OK for OE, but it's right to be
> worried about the other things which aren't known (not only from
> these guys or from xz project).

I concur.

It is worrying but I've kind of been expecting something like this for
a while unfortunately.

We need to watch what is going on and act accordingly if/as anything
else becomes known. 

Cheers,

Richard
Fathi Boudra April 1, 2024, 9:42 a.m. UTC | #8 
On Sat, 30 Mar 2024 at 17:18, Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote:
> > From what is publicly known it injected malicious code (through m4
> > macro using payload hidden in obfuscated compressed test file) into
> > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in
> > sshd (when sshd is built with patch adding systemd notifications
> > which brings liblzma dependency to sshd e.g. on debian and ubuntu
> > based systems).
> >
> > The build systems which just built this xz version shouldn't be
> > affected (as it won't be using the liblzma.so from the OE build on
> > the host).
> >
> > This publicly known part should be OK for OE, but it's right to be
> > worried about the other things which aren't known (not only from
> > these guys or from xz project).
>
> I concur.
>
> It is worrying but I've kind of been expecting something like this for
> a while unfortunately.
>
> We need to watch what is going on and act accordingly if/as anything
> else becomes known.

https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Distros have downgraded to older releases, still trying to figure out
which version to use.

> Cheers,
>
> Richard
Denys Dmytriyenko April 1, 2024, 7:02 p.m. UTC | #9 
On Mon, Apr 01, 2024 at 11:42:51AM +0200, Fathi Boudra wrote:
> On Sat, 30 Mar 2024 at 17:18, Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
> >
> > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote:
> > > From what is publicly known it injected malicious code (through m4
> > > macro using payload hidden in obfuscated compressed test file) into
> > > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in
> > > sshd (when sshd is built with patch adding systemd notifications
> > > which brings liblzma dependency to sshd e.g. on debian and ubuntu
> > > based systems).
> > >
> > > The build systems which just built this xz version shouldn't be
> > > affected (as it won't be using the liblzma.so from the OE build on
> > > the host).
> > >
> > > This publicly known part should be OK for OE, but it's right to be
> > > worried about the other things which aren't known (not only from
> > > these guys or from xz project).
> >
> > I concur.
> >
> > It is worrying but I've kind of been expecting something like this for
> > a while unfortunately.
> >
> > We need to watch what is going on and act accordingly if/as anything
> > else becomes known.
> 
> https://nvd.nist.gov/vuln/detail/CVE-2024-3094
> 
> Distros have downgraded to older releases, still trying to figure out
> which version to use.

While 5.4.6 version we've upgraded to in February was not yet compromised, 
it was already being taken over by Jia Tan, moving releases to controlled 
subdomain of xz.tukaani.org hosted off of GitHub directly, preparing for the 
malicious release of 5.6.0 and 5.6.1. So, we've pointed to GitHub location 
accordingly:

https://git.openembedded.org/openembedded-core/commit/?id=9cc6c809c154019afe3bf6e6d617eab640faa4d0
https://git.openembedded.org/openembedded-core/commit/?id=5be69fc3ff6296411c736e5c7c9522d99c0be2c6

But GitHub has suspended the project and associated developer accounts. The 
original maintainer has posted some details on this matter here:

https://tukaani.org/xz-backdoor/

Again, 5.4.6 tarball wasn't compromised, but it is no longer accessible from 
GitHub - should we revert back to 5.4.5 that was hosted on the original site? 
Though it should be mirrored...
Marta Rybczynska April 1, 2024, 7:57 p.m. UTC | #10 
On Mon, Apr 1, 2024 at 9:02 PM Denys Dmytriyenko <denis@denix.org> wrote:
>
> On Mon, Apr 01, 2024 at 11:42:51AM +0200, Fathi Boudra wrote:
> > On Sat, 30 Mar 2024 at 17:18, Richard Purdie
> > <richard.purdie@linuxfoundation.org> wrote:
> > >
> > > On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote:
> > > > From what is publicly known it injected malicious code (through m4
> > > > macro using payload hidden in obfuscated compressed test file) into
> > > > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in
> > > > sshd (when sshd is built with patch adding systemd notifications
> > > > which brings liblzma dependency to sshd e.g. on debian and ubuntu
> > > > based systems).
> > > >
> > > > The build systems which just built this xz version shouldn't be
> > > > affected (as it won't be using the liblzma.so from the OE build on
> > > > the host).
> > > >
> > > > This publicly known part should be OK for OE, but it's right to be
> > > > worried about the other things which aren't known (not only from
> > > > these guys or from xz project).
> > >
> > > I concur.
> > >
> > > It is worrying but I've kind of been expecting something like this for
> > > a while unfortunately.
> > >
> > > We need to watch what is going on and act accordingly if/as anything
> > > else becomes known.
> >
> > https://nvd.nist.gov/vuln/detail/CVE-2024-3094
> >
> > Distros have downgraded to older releases, still trying to figure out
> > which version to use.
>
> While 5.4.6 version we've upgraded to in February was not yet compromised,
> it was already being taken over by Jia Tan, moving releases to controlled
> subdomain of xz.tukaani.org hosted off of GitHub directly, preparing for the
> malicious release of 5.6.0 and 5.6.1. So, we've pointed to GitHub location
> accordingly:
>
> https://git.openembedded.org/openembedded-core/commit/?id=9cc6c809c154019afe3bf6e6d617eab640faa4d0
> https://git.openembedded.org/openembedded-core/commit/?id=5be69fc3ff6296411c736e5c7c9522d99c0be2c6
>
> But GitHub has suspended the project and associated developer accounts. The
> original maintainer has posted some details on this matter here:
>
> https://tukaani.org/xz-backdoor/
>
> Again, 5.4.6 tarball wasn't compromised, but it is no longer accessible from
> GitHub - should we revert back to 5.4.5 that was hosted on the original site?
> Though it should be mirrored...
>

The repository is disabled by GitHub, and the recipe does not work
from this end.
We need to switch to the older mirror and to the last version that was present.
There are other parts of the attack coming out each day, so we should
know to which version
we need to revert quite soon.

Regards,
Marta
Marta Rybczynska April 2, 2024, 5:41 a.m. UTC | #11 
On Sat, Mar 30, 2024 at 1:26 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Sat, 2024-03-30 at 13:08 +0100, Marta Rybczynska wrote:
> > Absolutely confirm. DO NOT UPDATE
> >
> > Marta
> >
> > On Sat, 30 Mar 2024, 02:04 Mark Hatle,
> > <mark.hatle@kernel.crashing.org> wrote:
> > > I know this request is a week or so old..
> > >
> > > But do NOT upgrade to 'xz' 5.6.0 or 5.6.1.  It has been
> > > compromised:
> > >
> > > https://www.openwall.com/lists/oss-security/2024/03/29/4
> > >
> > > --Mark
>
> We're not going to. The upgrade was already dropped after it failed
> build testing. I do wonder why it failed.
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/48/builds/8737
>
> I've ensured the sources were removed from our mirrors too.


It looks to me that the Autobuilder has actually seen a side-effect of
the backdoor...

Marta
diff mbox series

Patch

diff --git a/meta/recipes-extended/xz/xz_5.4.6.bb b/meta/recipes-extended/xz/xz_5.6.1.bb
similarity index 79%
rename from meta/recipes-extended/xz/xz_5.4.6.bb
rename to meta/recipes-extended/xz/xz_5.6.1.bb
index da3b75a10b..dd6388e7dd 100644
--- a/meta/recipes-extended/xz/xz_5.4.6.bb
+++ b/meta/recipes-extended/xz/xz_5.6.1.bb
@@ -8,26 +8,27 @@  SECTION = "base"
 # packages, and the LGPL bits are under lib/, which appears to be used for
 # libgnu, which appears to be used for DOS builds. So we're left with
 # GPL-2.0-or-later and PD.
-LICENSE = "GPL-2.0-or-later & GPL-3.0-with-autoconf-exception & LGPL-2.1-or-later & PD"
-LICENSE:${PN} = "GPL-2.0-or-later"
-LICENSE:${PN}-dev = "GPL-2.0-or-later"
-LICENSE:${PN}-staticdev = "GPL-2.0-or-later"
-LICENSE:${PN}-doc = "GPL-2.0-or-later"
-LICENSE:${PN}-dbg = "GPL-2.0-or-later"
-LICENSE:${PN}-locale = "GPL-2.0-or-later"
+LICENSE = "GPL-2.0-or-later & GPL-3.0-with-autoconf-exception & LGPL-2.1-or-later & PD & 0BSD"
+LICENSE:${PN} = "GPL-2.0-or-later & 0BSD"
+LICENSE:${PN}-dev = "GPL-2.0-or-later & 0BSD"
+LICENSE:${PN}-staticdev = "GPL-2.0-or-later & 0BSD"
+LICENSE:${PN}-doc = "GPL-2.0-or-later & 0BSD"
+LICENSE:${PN}-dbg = "GPL-2.0-or-later & 0BSD"
+LICENSE:${PN}-locale = "GPL-2.0-or-later & 0BSD"
 LICENSE:liblzma = "PD"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=d4378ea9d5d1fc9ab0ae10d7948827d9 \
+LIC_FILES_CHKSUM = "file://COPYING;md5=3ef4de063517b8d33e97bbb87a3339ee \
                     file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
                     file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c \
-                    file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \
+                    file://lib/getopt.c;endline=23;md5=3f33e207287bf72834f3ae8c247dfb6a \
+                    file://COPYING.0BSD;md5=0672c210ce80c83444339b9aa31fee2f \
                     "
 
 SRC_URI = "https://github.com/tukaani-project/xz/releases/download/v${PV}/xz-${PV}.tar.gz \
            file://run-ptest \
           "
-SRC_URI[sha256sum] = "aeba3e03bf8140ddedf62a0a367158340520f6b384f75ca6045ccc6c0d43fd5c"
+SRC_URI[sha256sum] = "2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8"
 UPSTREAM_CHECK_REGEX = "releases/tag/v(?P<pver>\d+(\.\d+)+)"
 UPSTREAM_CHECK_URI = "https://github.com/tukaani-project/xz/releases/"