Register | Log in

libyang

Choose email to subscribe with

general

source: libyang (main)
version: 3.13.6-1
maintainer: Daniel Baumann (DMD)
arch: any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.0.225-1.1
stable: 3.12.2-1
stable-bpo: 3.13.6-1~bpo13+1
testing: 3.13.6-1
unstable: 3.13.6-1
exp: 5.7.1-1

versioned links

1.0.225-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.12.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.13.6-1~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.13.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libyang-dev
libyang3
libyang3-tools

action needed

A new upstream version is available: 5.4.9 high

A new upstream version 5.4.9 is available, you should consider packaging it.

Created: 2025-12-05 Last update: 2026-05-15 14:00

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-44673: libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

Created: 2026-05-15 Last update: 2026-05-15 12:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-44673: libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

Created: 2026-05-15 Last update: 2026-05-15 12:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-44673: libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

Created: 2026-05-15 Last update: 2026-05-15 12:30

8 security issues in bullseye high

There are 8 open security issues in bullseye.

1 important issue:

CVE-2026-44673: libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

7 issues postponed or untriaged:

CVE-2021-28902: (needs triaging) In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash.
CVE-2021-28903: (needs triaging) A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash.
CVE-2021-28904: (needs triaging) In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL. If revision is NULL, the operation of strcmp(revision, ext_plugins[u].revision) will lead to a crash.
CVE-2021-28905: (needs triaging) In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL. But in some cases, node->module can be null, which triggers a reachable assertion (CWE-617).
CVE-2021-28906: (needs triaging) In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash.
CVE-2023-26916: (needs triaging) libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lys_parse_mem at lys_parse_mem.c.
CVE-2023-26917: (needs triaging) libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c.

Created: 2026-05-15 Last update: 2026-05-15 12:30

lintian reports 4 errors and 1 warning high

Lintian reports 4 errors and 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-11-01 Last update: 2025-11-01 17:17

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-03-31 15:01

testing migrations

This package will soon be part of the auto-libyang transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2026-04-29] Accepted libyang 5.7.1-1 (source) into experimental (Daniel Baumann)
[2026-04-03] Accepted libyang 5.4.9-1 (source) into experimental (Daniel Baumann)
[2026-03-30] Accepted libyang 5.4.5-1 (source) into experimental (Daniel Baumann)
[2026-03-25] Accepted libyang 5.4.1+really5.4.1-1 (source) into experimental (Daniel Baumann)
[2026-03-25] Accepted libyang 5.4.1-1 (source) into experimental (Daniel Baumann)
[2026-02-28] Accepted libyang 5.0.8-1 (source) into experimental (Daniel Baumann)
[2026-02-07] Accepted libyang 5.0.2-1 (source amd64) into experimental (Debian FTP Masters) (signed by: Daniel Baumann)
[2026-01-25] Accepted libyang 4.7.3-1 (source) into experimental (Daniel Baumann)
[2026-01-08] Accepted libyang 3.13.6-1~bpo13+1 (source amd64) into stable-backports (Debian FTP Masters) (signed by: bage@debian.org)
[2025-12-17] Accepted libyang 4.3.4-1 (source) into experimental (Daniel Baumann)
[2025-12-13] Accepted libyang 4.3.3-1 (source) into experimental (Daniel Baumann)
[2025-12-12] Accepted libyang 4.2.2-3 (source) into experimental (Daniel Baumann)
[2025-12-09] Accepted libyang 4.2.2-2 (source) into experimental (Daniel Baumann)
[2025-12-08] Accepted libyang 4.2.2-1 (source amd64) into experimental (Debian FTP Masters) (signed by: Daniel Baumann)
[2025-11-03] libyang 3.13.6-1 MIGRATED to testing (Debian testing watch)
[2025-11-01] Accepted libyang 3.13.6-1 (source) into unstable (Daniel Baumann)
[2025-08-17] libyang 3.13.5-2 MIGRATED to testing (Debian testing watch)
[2025-08-12] Accepted libyang 3.13.5-2 (source) into unstable (Daniel Baumann)
[2025-08-10] Accepted libyang 3.13.5-1 (source) into unstable (Daniel Baumann)
[2025-05-12] libyang 3.12.2-1 MIGRATED to testing (Debian testing watch)
[2025-05-02] Accepted libyang 3.12.2-1 (source) into unstable (Daniel Baumann)
[2025-03-26] libyang 3.7.8-5 MIGRATED to testing (Debian testing watch)
[2025-03-20] Accepted libyang 3.7.8-5 (source) into unstable (Daniel Baumann)
[2025-03-19] Accepted libyang 3.7.8-4 (source) into unstable (Daniel Baumann)
[2025-02-22] libyang 3.7.8-3 MIGRATED to testing (Debian testing watch)
[2025-02-16] Accepted libyang 3.7.8-3 (source) into unstable (Daniel Baumann)
[2025-02-10] libyang 3.7.8-2 MIGRATED to testing (Debian testing watch)
[2025-02-05] Accepted libyang 3.7.8-2 (source) into unstable (Daniel Baumann)
[2025-01-19] libyang 3.7.8-1 MIGRATED to testing (Debian testing watch)
[2025-01-14] Accepted libyang 3.7.8-1 (source) into unstable (Daniel Baumann)

1
2

bugs [bug history graph]

all: 0

links

homepage
lintian (4, 1)
buildd: logs, exp, reproducibility, cross
popcon
browse source code
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.13.6-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing