Re: libyang update for buster (low severity security issue)
Hi David,
On Sun, Dec 22, 2019 at 03:24:53PM +0100, David Lamparter wrote:
> Hi Debian Release team,
> Hi Vincent,
>
>
> >>>On Thu, Dec 05, 2019 at 06:36:33PM +0100, David Lamparter wrote:
> >>>> as the package maintainer for libyang, I regret to notify you there's a
> >>>> security problem. For context, both of these issues rely on the
> >>>> attacker being able to supply a malformed/malicious YANG module, i.e.
> >>>> schema data. Applications using libyang would generally hardcode/supply
> >>>> their own schemas, however if someone runs e.g. a schema validation
> >>>> service they may be at risk.
>
> >>On Fri, Dec 06, 2019 at 10:36:21AM +0100, Salvatore Bonaccorso wrote:
> >>> Thanks for the heads up. This issues do not seem to warrant a DSA on
> >>> it's own. Can you fix the issues via an upcoming point release?
> >>>
> >>> https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
>
> > ❦ 6 décembre 2019 14:21 +01, David Lamparter <equinox@diac24.net>:
> >> Let me add Vincent to the mail loop here, I'm not a DM (yet) and he's
> >> been so kind to take my packages from mentors into Debian :)
>
> On Fri, Dec 06, 2019 at 02:40:12PM +0100, Vincent Bernat wrote:
> > You can do most of the procedure yourself (prepare the package, get a
> > ack from release team). I only need to do the upload. Tell me if you
> > need help on anything.
>
> I've uploaded libyang 0.16.105-2 on mentors.debian.net. This fixes 2
> low-severity security issues, a caching crash, and some build issues. I
> believe the package is appropriate for inclusion in buster.
>
> https://mentors.debian.net/package/libyang
> https://mentors.debian.net/debian/pool/main/liby/libyang/libyang_0.16.105-2.dsc
>
> The package is marked for unstable; I wasn't quite sure whether an
> upload targeting "buster" would work on mentors, and whether I should
> use some "+deb10u1" version number. The package works as-is on both
> buster and unstable. Unrelatedly, unstable will get libyang 1.x soon.
For the issue to be accepted for buster, it would first need to be
adressed in unstable/testing (or some assurance this happens soon
after).
For the version for buster, the right version then would need to be
0.16.105-1+deb10u1. See above references for some more hints.
Hope this helps already.
Regards,
Salvatore
p.s.: use reportbug directly to then fill a buster-pu update proposal
bug for the SRM'ers which add the right tags, attaching a debdiff
from the build and tested package is as well then needed.
Reply to: