Your message dated Tue, 19 May 2020 19:33:11 +0000
with message-id <e1jb7zd-0009em...@fasolo.debian.org>
and subject line Bug#946217: fixed in libyang 0.16.105-1+deb10u1
has caused the Debian Bug report #946217,
regarding CVE-2019-19333 & CVE-2019-19334 in libyang
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
946217: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libyang0.16
Version: 0.16.105-1
Tags: security
Severity: grave
This is a security issue tracking bug for CVEs:
- CVE-2019-19333
- CVE-2019-19334
Both issues are bugs in processing YANG models and may affect users
loading or validating untrusted YANG models. This is a relatively rare
use case as normal application use of libyang would rely on application
supplied models.
Fixes are available upstream.
As the package maintainer, my plan for unstable is to ship a 0.16.105-2
quickly, followed by actually bringing 1.0.x into unstable.
I've contacted the Debian security team wrt. fixing this for buster.
-David
--- End Message ---
--- Begin Message ---
Source: libyang
Source-Version: 0.16.105-1+deb10u1
Done: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ond...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libyang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 946...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ond...@debian.org> (supplier of updated libyang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 May 2020 09:02:56 +0200
Source: libyang
Architecture: source
Version: 0.16.105-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: David Lamparter <equinox-deb...@diac24.net>
Changed-By: Ondřej Surý <ond...@debian.org>
Closes: 946217
Changes:
libyang (0.16.105-1+deb10u1) buster; urgency=medium
.
* Fix CVE-2019-19333 & CVE-2019-19334 (Closes: #946217)
* Fix cache corruption crash (upstream bug 752)
Checksums-Sha1:
f7eb4ca0fb5fb2f2f60f0dd5f825449a3e4c1ecc 2593 libyang_0.16.105-1+deb10u1.dsc
e62f67aef08e6d134c931e8da7bb1ba960ea0a1e 19660
libyang_0.16.105-1+deb10u1.debian.tar.xz
2fdbc2291cf04007b9774de7ddd68f5517141ef7 10658
libyang_0.16.105-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
9606bc9bae9bfceddb529b9732e79a2a3864915c1d63de5ec386528f06e7d47f 2593
libyang_0.16.105-1+deb10u1.dsc
a79468c764550221244017ea6b81f4ab463b429c15c2daa9492c4e9aa6cf50de 19660
libyang_0.16.105-1+deb10u1.debian.tar.xz
654f53d5a63e1aa37d9876ff317d66e12fb0f2050c2186e0d5f70ea971be0bcd 10658
libyang_0.16.105-1+deb10u1_amd64.buildinfo
Files:
8c406ae01d1441231269642a4f297484 2593 libs optional
libyang_0.16.105-1+deb10u1.dsc
517b25fcb3aca7e8bd238f28ed634b60 19660 libs optional
libyang_0.16.105-1+deb10u1.debian.tar.xz
a58e9a9890eb6c607bdb1051f9071ee7 10658 libs optional
libyang_0.16.105-1+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAl6+6/ZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcJ4Pw//Zwx832tDg1Qy4xz1EpeXBaT5g5pwgXu37RZXhw4K91C1LFwh3QGDo+Mf
2cdSFO+c0D5LLUU8Pac0ydmFINv7UKgx821JHWhtUmk+d9meobTk7zkiGXCbdseT
7YO6QnX1JsN5TLzU35JvEjMrsP+RSyI3qWLW8TUkO8Bq8km24L32k8QdpwLQHRzb
FAcvjm6VGvCtNp4oZqwx3RcwVEO4uOHBxzqRF0vGQR2/lvDqejIu9s2ZvqPx0QND
DvTURgPewg4ILYFvPAt+IkfUqkJheNd2jqv6xSpGInS+hshf3vKPkSWX+WJSNQY2
Z3XmLMgAMl/rDJvSCNGdLqZnlPiTs5/wAp6co2XA1fAgK7ip+CyjNBCAUy6f0h6x
vMJTqnj4/sgjLW0ko6XILACtbpQa8U3bsBq6sLyS05o9oFRIWLnVWlEsKJfQEtnt
vDG0G710ix9D94c+F6JeGlqG42rBCV+fVixaJvvK6tdpQ3F9fMsCqGayXpUuoL3s
DWvCBkcw9IptSHWMBybiKWdyRneCUj/p5Nm3zcErGR5PNSEFEiByEQ0FyO5FssyA
nGYiRrrUim1IPQKKkFwlZvmQzVfmfpXGI3yku8v6okePzbNTBOaFmCFBHBetXIdn
fkoEyadm76j6/7/4y3XtuX7pxDuZ6lDEnSipHbrQ3jn0YRMfO94=
=6etl
-----END PGP SIGNATURE-----
--- End Message ---
