libyang update for buster (low severity security issue)

To: debian-release@lists.debian.org
Cc: Vincent Bernat <bernat@debian.org>
Subject: libyang update for buster (low severity security issue)
From: David Lamparter <equinox@diac24.net>
Date: Sun, 22 Dec 2019 15:24:53 +0100
Message-id: <[🔎] 20191222142453.GI741928@eidolon.nox.tf>
In-reply-to: <m37e39a7yb.fsf@debian.org>
References: <20191205173633.GC741928@eidolon.nox.tf> <20191206093621.GA562398@eldamar.local> <20191206132155.GE741928@eidolon.nox.tf> <m37e39a7yb.fsf@debian.org>

Hi Debian Release team,
Hi Vincent,

>>>On Thu, Dec 05, 2019 at 06:36:33PM +0100, David Lamparter wrote:
>>>> as the package maintainer for libyang, I regret to notify you there's a
>>>> security problem.  For context, both of these issues rely on the
>>>> attacker being able to supply a malformed/malicious YANG module, i.e.
>>>> schema data.  Applications using libyang would generally hardcode/supply
>>>> their own schemas, however if someone runs e.g. a schema validation
>>>> service they may be at risk.

>>On Fri, Dec 06, 2019 at 10:36:21AM +0100, Salvatore Bonaccorso wrote:
>>> Thanks for the heads up. This issues do not seem to warrant a DSA on
>>> it's own. Can you fix the issues via an upcoming point release?
>>>
>>> https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

> ❦  6 décembre 2019 14:21 +01, David Lamparter <equinox@diac24.net>:
>> Let me add Vincent to the mail loop here, I'm not a DM (yet) and he's
>> been so kind to take my packages from mentors into Debian :)

On Fri, Dec 06, 2019 at 02:40:12PM +0100, Vincent Bernat wrote:
> You can do most of the procedure yourself (prepare the package, get a
> ack from release team). I only need to do the upload. Tell me if you
> need help on anything.

I've uploaded libyang 0.16.105-2 on mentors.debian.net.  This fixes 2
low-severity security issues, a caching crash, and some build issues.  I
believe the package is appropriate for inclusion in buster.

https://mentors.debian.net/package/libyang
https://mentors.debian.net/debian/pool/main/liby/libyang/libyang_0.16.105-2.dsc

The package is marked for unstable;  I wasn't quite sure whether an
upload targeting "buster" would work on mentors, and whether I should
use some "+deb10u1" version number.  The package works as-is on both
buster and unstable.  Unrelatedly, unstable will get libyang 1.x soon.

There's a new lintian error (which apparently wasn't checked before?),
but I don't want to touch the linking details for a stable update...

As I'm new to the Debian stable process, any input is appreciated :)

Cheers,

-David

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: libyang update for buster (low severity security issue)
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: libyang update for buster (low severity security issue)
  - From: Vincent Bernat <bernat@debian.org>

Prev by Date: Processed: tagging 947125
Next by Date: Bug#947125: buster-pu: package cyrus-imapd/3.0.8-6+deb10u4
Previous by thread: Bug#947172: buster-pu: package npm/5.8.0+ds6-4+deb10u1
Next by thread: Re: libyang update for buster (low severity security issue)
Index(es):
- Date
- Thread