9.8 - RHSA-2019:4360

Problem Description:

An update for libyang is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libyang package provides a library for YANG data modeling language. libyang is a YANG data modelling language parser and toolkit written (and providing API) in C. The library is used e.g. in libnetconf2, Netopeer2, sysrepo and FRRouting projects.

Security Fix(es):

* libyang: stack-based buffer overflow in make_canonical when bits leaf type is used (CVE-2019-19333)

* libyang: stack-based buffer overflow in make_canonical when identityref leaf type is used (CVE-2019-19334)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

IMPORTANT:

The libyang-devel sub-package has recently been removed from the AppStream repository. If you have previously installed libyang-devel, remove it prior to applying this advisory to make the update successful.

4. Solution:

If you have previously installed libyang-devel, remove it prior to applying this advisory to make the update successful.

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1779573 - CVE-2019-19333 libyang: stack-based buffer overflow in make_canonical when bits leaf type is used 1779576 - CVE-2019-19334 libyang: stack-based buffer overflow in make_canonical when identityref leaf type is used