Your message dated Thu, 26 Dec 2019 12:34:39 +0000
with message-id <e1ikslf-000dai...@fasolo.debian.org>
and subject line Bug#946217: fixed in libyang 0.16.105-2
has caused the Debian Bug report #946217,
regarding CVE-2019-19333 & CVE-2019-19334 in libyang
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
946217: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libyang0.16
Version: 0.16.105-1
Tags: security
Severity: grave
This is a security issue tracking bug for CVEs:
- CVE-2019-19333
- CVE-2019-19334
Both issues are bugs in processing YANG models and may affect users
loading or validating untrusted YANG models. This is a relatively rare
use case as normal application use of libyang would rely on application
supplied models.
Fixes are available upstream.
As the package maintainer, my plan for unstable is to ship a 0.16.105-2
quickly, followed by actually bringing 1.0.x into unstable.
I've contacted the Debian security team wrt. fixing this for buster.
-David
--- End Message ---
--- Begin Message ---
Source: libyang
Source-Version: 0.16.105-2
We believe that the bug you reported is fixed in the latest version of
libyang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 946...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Lamparter <equinox-deb...@diac24.net> (supplier of updated libyang
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 22 Dec 2019 14:27:01 +0100
Source: libyang
Architecture: source
Version: 0.16.105-2
Distribution: unstable
Urgency: medium
Maintainer: David Lamparter <equinox-deb...@diac24.net>
Changed-By: David Lamparter <equinox-deb...@diac24.net>
Closes: 925764 946217
Changes:
libyang (0.16.105-2) unstable; urgency=medium
.
* fix CVE-2019-19333 & CVE-2019-19334 (Closes: #946217)
* fix cache corruption crash (upstream bug 752)
* fix some gcc & swig version dependent build failures (Closes: #925764)
Checksums-Sha1:
1f011145ba8c06f150ab7aa9623152e402baa7bb 2467 libyang_0.16.105-2.dsc
06969415317fc2a8d0e594cd8ba54b4c908c713f 19948 libyang_0.16.105-2.debian.tar.xz
fded76b744d65ac8ec24ee82ea3ea5ee7b200f90 10647
libyang_0.16.105-2_amd64.buildinfo
Checksums-Sha256:
3f1c42ddde2203992c00dee4b1f3bb53064537cbda3535d29adaf7dafa14c821 2467
libyang_0.16.105-2.dsc
3555409be5c31fd652e32f494d00b33bfea659bacc99e22b29a8d946f2b90ad7 19948
libyang_0.16.105-2.debian.tar.xz
2a0290a223b3a04f7b8bee0193da2642891389fc41461aabd7716c520015abab 10647
libyang_0.16.105-2_amd64.buildinfo
Files:
7f63bff3764470b896f34bf868bcc0be 2467 libs optional libyang_0.16.105-2.dsc
bfe63808f58e4ff5ea5c93422308f056 19948 libs optional
libyang_0.16.105-2.debian.tar.xz
935a8d8de399b1e1e19a08fcf3754c1c 10647 libs optional
libyang_0.16.105-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAl4Eof8QHGJlcm5hdEBs
dWZmeS5jeAAKCRCVpC/oNTUl+e/FD/4uRutMui0DmXefGh0hupQdLorlvTTKzAvX
Cb56wUkWpneA1+pMdapv81wLT5D4zBD/pcOhRGRm4IrqwxNsxy9Dp7x7PbVZJIoq
j5jSKJUjmY9445rgdcvHwTTv5Yp0hlM1jqi6XYnfc1VTRGoToQge0vr0TiInP4BV
e876UySWKIDP/hzMlUyztmcg0k39OeH1AZw/SLPcWGy/29PENKeOgGZE9f/Q/v//
qvjSZ5eClCEffqDdpTVEDxvdtsTYxNSwojPLBkZiT8cW+JZqkqEVloJ2DrC4mrSh
b83pwsacsvp9Mxn+YW4aqugey0tjauOM2ZtceyvS7GVKuO+049d0qtHLy442Ev3x
hTiwsXP6uxF5Jn61ZRZLO8acsojmQg9Ld6GzdZ8kXe9SLSZPV3j2iyUTklVo1Vgw
zvPjGlWaerasdDFh+EMDLy4pugwZddvQA6JJKxXV4+fngdYwmN0SgAveUBMuovel
fyYjcBdwSo+FQTvx0garhGyai/Bbntb4DAaiVqGi/f+WnXzgo0lqNOkqEgS1iTRV
rYqWKt/9DUOeuKgm2NRCWhrN8Fst7FQ11HE9+UEO84PPEQ/YLxkC7yCFwQcKlkm8
yaVrR6PtFvgrjILnfUdzDWPxyxP/JdrbTi9XOgiSrmvfF9J1BW1Y5yT4u6/ICJP7
txQtXOzLlA==
=qqkF
-----END PGP SIGNATURE-----
--- End Message ---
