Re: libyang update for buster (low severity security issue)

To: David Lamparter <equinox@diac24.net>
Cc: debian-release@lists.debian.org, Vincent Bernat <bernat@debian.org>
Subject: Re: libyang update for buster (low severity security issue)
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 22 Dec 2019 22:58:31 +0100
Message-id: <[🔎] 20191222215831.GA1441218@eldamar.local>
Mail-followup-to: David Lamparter <equinox@diac24.net>, debian-release@lists.debian.org, Vincent Bernat <bernat@debian.org>
In-reply-to: <[🔎] 20191222142453.GI741928@eidolon.nox.tf>
References: <20191205173633.GC741928@eidolon.nox.tf> <20191206093621.GA562398@eldamar.local> <20191206132155.GE741928@eidolon.nox.tf> <m37e39a7yb.fsf@debian.org> <[🔎] 20191222142453.GI741928@eidolon.nox.tf>

Hi David,

On Sun, Dec 22, 2019 at 03:24:53PM +0100, David Lamparter wrote:
> Hi Debian Release team,
> Hi Vincent,
> 
> 
> >>>On Thu, Dec 05, 2019 at 06:36:33PM +0100, David Lamparter wrote:
> >>>> as the package maintainer for libyang, I regret to notify you there's a
> >>>> security problem.  For context, both of these issues rely on the
> >>>> attacker being able to supply a malformed/malicious YANG module, i.e.
> >>>> schema data.  Applications using libyang would generally hardcode/supply
> >>>> their own schemas, however if someone runs e.g. a schema validation
> >>>> service they may be at risk.
> 
> >>On Fri, Dec 06, 2019 at 10:36:21AM +0100, Salvatore Bonaccorso wrote:
> >>> Thanks for the heads up. This issues do not seem to warrant a DSA on
> >>> it's own. Can you fix the issues via an upcoming point release?
> >>>
> >>> https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
> 
> > ❦  6 décembre 2019 14:21 +01, David Lamparter <equinox@diac24.net>:
> >> Let me add Vincent to the mail loop here, I'm not a DM (yet) and he's
> >> been so kind to take my packages from mentors into Debian :)
> 
> On Fri, Dec 06, 2019 at 02:40:12PM +0100, Vincent Bernat wrote:
> > You can do most of the procedure yourself (prepare the package, get a
> > ack from release team). I only need to do the upload. Tell me if you
> > need help on anything.
> 
> I've uploaded libyang 0.16.105-2 on mentors.debian.net.  This fixes 2
> low-severity security issues, a caching crash, and some build issues.  I
> believe the package is appropriate for inclusion in buster.
> 
> https://mentors.debian.net/package/libyang
> https://mentors.debian.net/debian/pool/main/liby/libyang/libyang_0.16.105-2.dsc
> 
> The package is marked for unstable;  I wasn't quite sure whether an
> upload targeting "buster" would work on mentors, and whether I should
> use some "+deb10u1" version number.  The package works as-is on both
> buster and unstable.  Unrelatedly, unstable will get libyang 1.x soon.

For the issue to be accepted for buster, it would first need to be
adressed in unstable/testing (or some assurance this happens soon
after). 

For the version for buster, the right version then would need to be
0.16.105-1+deb10u1. See above references for some more hints.

Hope this helps already.

Regards,
Salvatore

p.s.: use reportbug directly to then fill a buster-pu update proposal
      bug for the SRM'ers which add the right tags, attaching a debdiff
      from the build and tested package is as well then needed.

Reply to:

References:
- libyang update for buster (low severity security issue)
  - From: David Lamparter <equinox@diac24.net>

Prev by Date: Bug#947204: stretch-pu: package x2goclient/4.0.5.2-2+deb9u1
Next by Date: Bug#947146: buster-pu: package python-mistral-lib/1.0.0-1 CVE-2019-3866
Previous by thread: libyang update for buster (low severity security issue)
Next by thread: Re: libyang update for buster (low severity security issue)
Index(es):
- Date
- Thread