libyaml-syck-perl - Debian Package Tracker

general

source: libyaml-syck-perl (main)
version: 1.36-3
maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
uploaders: gregor herrmann [DMD] – Ansgar Burchardt [DMD]
arch: any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.34-1
o-o-sec: 1.34-1+deb11u1
oldstable: 1.34-2+deb12u2
old-sec: 1.34-2+deb12u2
stable: 1.34-2+deb13u2
stable-sec: 1.34-2+deb13u2
testing: 1.36-2
unstable: 1.36-3

versioned links

1.34-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.34-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.34-2+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.34-2+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.36-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.36-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libyaml-syck-perl

action needed

A new upstream version is available: 1.45 high

A new upstream version 1.45 is available, you should consider packaging it.

Created: 2026-03-21 Last update: 2026-05-20 22:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-5089: YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer: while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.

Created: 2026-05-12 Last update: 2026-05-19 11:31

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-19 Last update: 2026-05-20 20:33

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-5089: (needs triaging) YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer: while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-12 Last update: 2026-05-19 11:31

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-5089: (needs triaging) YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer: while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-05-12 Last update: 2026-05-19 11:31

debian/patches: 1 patch to forward upstream low

Among the 4 debian patches available in version 1.36-3 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2026-03-17 Last update: 2026-05-13 07:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-05-13 01:33

testing migrations

excuses:
- Migration status for libyaml-syck-perl (1.36-2 to 1.36-3): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for libcatalyst-action-rest-perl/1.21-2: i386: Pass ♻
- ∙ ∙ Autopkgtest for libcatalyst-action-rest-perl/1.22-1: amd64: Pass, arm64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for libcgi-formbuilder-source-yaml-perl/1.0.8-5: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for libdata-serializer-perl/0.65-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for librose-db-perl/0.786-1: i386: Pass ♻, riscv64: Pass ♻
- ∙ ∙ Autopkgtest for libyaml-syck-perl/1.36-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/liby/libyaml-syck-perl.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 8 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-12] Accepted libyaml-syck-perl 1.36-3 (source) into unstable (Salvatore Bonaccorso)
[2026-04-09] Accepted libyaml-syck-perl 1.34-1+deb11u1 (source) into oldoldstable-security (Andrej Shadura) (signed by: Andrew Shadura)
[2026-03-27] Accepted libyaml-syck-perl 1.34-2+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2026-03-27] Accepted libyaml-syck-perl 1.34-2+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2026-03-22] Accepted libyaml-syck-perl 1.34-2+deb13u2 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2026-03-22] Accepted libyaml-syck-perl 1.34-2+deb12u2 (source) into oldstable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2026-03-19] libyaml-syck-perl 1.36-2 MIGRATED to testing (Debian testing watch)
[2026-03-17] Accepted libyaml-syck-perl 1.36-2 (source) into unstable (Salvatore Bonaccorso)
[2026-01-04] libyaml-syck-perl 1.36-1 MIGRATED to testing (Debian testing watch)
[2026-01-02] Accepted libyaml-syck-perl 1.36-1 (source) into unstable (gregor herrmann)
[2025-10-19] Accepted libyaml-syck-perl 1.34-2+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-10-19] Accepted libyaml-syck-perl 1.34-2+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-10-18] libyaml-syck-perl 1.34-4 MIGRATED to testing (Debian testing watch)
[2025-10-16] Accepted libyaml-syck-perl 1.34-4 (source) into unstable (Salvatore Bonaccorso)
[2025-09-08] libyaml-syck-perl 1.34-3 MIGRATED to testing (Debian testing watch)
[2025-09-05] Accepted libyaml-syck-perl 1.34-3 (source) into unstable (Roland Rosenfeld)
[2022-10-18] libyaml-syck-perl 1.34-2 MIGRATED to testing (Debian testing watch)
[2022-10-16] Accepted libyaml-syck-perl 1.34-2 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2020-10-31] libyaml-syck-perl 1.34-1 MIGRATED to testing (Debian testing watch)
[2020-10-28] Accepted libyaml-syck-perl 1.34-1 (source) into unstable (gregor herrmann)
[2020-02-26] libyaml-syck-perl 1.32-2 MIGRATED to testing (Debian testing watch)
[2020-02-04] Accepted libyaml-syck-perl 1.32-2 (source) into unstable (gregor herrmann)
[2020-01-29] Accepted libyaml-syck-perl 1.32-1 (source) into unstable (gregor herrmann)
[2018-10-28] libyaml-syck-perl 1.31-1 MIGRATED to testing (Debian testing watch)
[2018-10-26] Accepted libyaml-syck-perl 1.31-1 (source) into unstable (gregor herrmann)
[2018-05-09] libyaml-syck-perl 1.30-1 MIGRATED to testing (Debian testing watch)
[2018-05-05] Accepted libyaml-syck-perl 1.30-1 (source) into unstable (gregor herrmann)
[2015-11-12] libyaml-syck-perl 1.29-1 MIGRATED to testing (Britney)
[2015-11-01] Accepted libyaml-syck-perl 1.29-1 (source) into unstable (gregor herrmann)
[2013-08-20] libyaml-syck-perl 1.27-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.36-1