Hi Debian Release team, Hi Vincent, >>>On Thu, Dec 05, 2019 at 06:36:33PM +0100, David Lamparter wrote: >>>> as the package maintainer for libyang, I regret to notify you there's a >>>> security problem. For context, both of these issues rely on the >>>> attacker being able to supply a malformed/malicious YANG module, i.e. >>>> schema data. Applications using libyang would generally hardcode/supply >>>> their own schemas, however if someone runs e.g. a schema validation >>>> service they may be at risk. >>On Fri, Dec 06, 2019 at 10:36:21AM +0100, Salvatore Bonaccorso wrote: >>> Thanks for the heads up. This issues do not seem to warrant a DSA on >>> it's own. Can you fix the issues via an upcoming point release? >>> >>> https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions > ❦ 6 décembre 2019 14:21 +01, David Lamparter <equinox@diac24.net>: >> Let me add Vincent to the mail loop here, I'm not a DM (yet) and he's >> been so kind to take my packages from mentors into Debian :) On Fri, Dec 06, 2019 at 02:40:12PM +0100, Vincent Bernat wrote: > You can do most of the procedure yourself (prepare the package, get a > ack from release team). I only need to do the upload. Tell me if you > need help on anything. I've uploaded libyang 0.16.105-2 on mentors.debian.net. This fixes 2 low-severity security issues, a caching crash, and some build issues. I believe the package is appropriate for inclusion in buster. https://mentors.debian.net/package/libyang https://mentors.debian.net/debian/pool/main/liby/libyang/libyang_0.16.105-2.dsc The package is marked for unstable; I wasn't quite sure whether an upload targeting "buster" would work on mentors, and whether I should use some "+deb10u1" version number. The package works as-is on both buster and unstable. Unrelatedly, unstable will get libyang 1.x soon. There's a new lintian error (which apparently wasn't checked before?), but I don't want to touch the linking details for a stable update... As I'm new to the Debian stable process, any input is appreciated :) Cheers, -David
Attachment:
signature.asc
Description: Digital signature