SUSE-SU-2026:22172-1: important: Security update for zypper, libzypp, libsolv
SLE-SECURITY-UPDATES
null at suse.de
Tue Jun 23 16:40:42 UTC 2026
# Security update for zypper, libzypp, libsolv
Announcement ID: SUSE-SU-2026:22172-1
Release Date: 2026-06-19T07:35:00Z
Rating: important
References:
* bsc#1239718
* bsc#1246504
* bsc#1253193
* bsc#1259706
* bsc#1259802
* bsc#1259842
* bsc#1265223
* bsc#1265935
* bsc#1265938
* bsc#1266039
* bsc#1267426
* bsc#1267874
* jsc#PED-13680
* jsc#PED-15607
Cross-References:
* CVE-2026-25707
* CVE-2026-44933
* CVE-2026-44941
* CVE-2026-44942
* CVE-2026-48863
* CVE-2026-9149
* CVE-2026-9150
CVSS scores:
* CVE-2026-25707 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-44933 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-44933 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-44933 ( NVD ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-44933 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-44941 ( SUSE ): 7.5
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-44941 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-44942 ( SUSE ): 6.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-44942 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-44942 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-48863 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-48863 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9150 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9150 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that solves seven vulnerabilities, contains two features and has five
fixes can now be installed.
## Description:
This update for zypper, libzypp, libsolv fixes the following issues:
Changes in zypper:
Update to 1.14.98:
* Transactional systems: Delegate rw-commands to transactional-wrapper if
available (jsc#PED-13680, jsc#PED-15607) On a transactional system where the
root filesystem is mounted read-only, zypper commands that modify the system
cannot be executed directly. If the system provides a transactional-wrapper
utility, zypper will automatically attempt to invoke it. The wrapper
transparently executes the zypper command within a new, writable snapshot
and manages the lifecycle of that snapshot based on the command's exit
status. On transactional systems lacking a transactional-wrapper, users must
manually invoke specialized tools -such as transactional-update- to install,
update, or remove software.
* Add --filter-version-change to zypper lu. Adds filtering by version change
significance to reduce noise in update listings. Supports levels: rebuild
(hides rebuild-only changes) and package (hides all release-only changes).
* Autorefresh ris-services the way as plugin-services (bsc#1246504) It's
actually wrong to treat service refreshes different depending on the service
type. For the purpose of a service it makes no difference how the data about
the repos to use are acquired.
Changes in libzypp:
Updated to 17.38.13:
* A .repo files "path=" entry must not refer to a location outside the repo
(bsc#1267874, CVE-2026-44942) A "path=" entry may solely denote a sub-
directory of the baseurl where the metadata are located. A relative path
trying to access data outside the baseurl is reported and sanitized.
* Repo "keyhint" must denote a filename, no path (bsc#1267426, CVE-2026-44941)
* Fix potential crash on malformed or malicious repository metadata (fixes
#740)
* Repo metadata: discard entries referring to a location outside the repo
(bsc#1259802, CVE-2026-25707) Mirroring those data locally would refer to a
location outside the repo's local cache directory. Those data entries are
reported and discarded.
* zypp.conf: Allow [env] section to add environment variables. This feature is
designed to enable environment-specific settings or debugging options over
an extended period. See zypp.conf(5).
* Prevent configured scripts from escaping the sigcheck directory
(bsc#1265223, CVE-2026-44933)
* StringV: guard hasPrefix/hasPrefixCI against reading past the view end
(fixes #735)
* Mandatory signature verification plugin support (PED#11922)
* Fix purge-kernel -rc kernel handling (bsc#1239718)
* Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
* Check for trusted key updates when updating the general keyring
(bsc#1259706)
* Support multiple MirroredOrigin authorities (bsc#1253193)
* Workaround doxygen bug: doxygen/doxygen#12057
* libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
Changes in libsolv:
Updated to 0.7.39:
* fix solv_chksum_free segfault when called with a NULL pointer
* made repo_add_solv more robust against corrupt files [bsc#1265935]
[CVE-2026-9149]
* fix potential buffer overflow when verifying EdDSA signatures [bsc#1266039]
[CVE-2026-48863]
* added limit checks in multiple places to catch overflows
* reduce the size of the language id cache
* fixed Debian canon selection
* fixed dbpath detection in repo_rpmdb_librpm
* reduced stack usage in repo page compression (needed for musl)
* fix parsing of sha512 checksums in debian repositories [bsc#1265938]
[CVE-2026-9150]
* improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as
fast
* fix parsing of recommends in the old Mandriva synthesis format
## Special Instructions and Notes:
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-961=1
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-961=1
## Package List:
* SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
* libsolv1-0.7.39-160000.1.1
* libsolv-tools-base-debuginfo-0.7.39-160000.1.1
* libsolv-tools-0.7.39-160000.1.1
* zypper-debuginfo-1.14.98-160000.1.1
* libzypp-17.38.13-160000.1.1
* libsolv-devel-debuginfo-0.7.39-160000.1.1
* perl-solv-0.7.39-160000.1.1
* zypper-debugsource-1.14.98-160000.1.1
* libzypp-devel-17.38.13-160000.1.1
* ruby-solv-debuginfo-0.7.39-160000.1.1
* libsolv-debugsource-0.7.39-160000.1.1
* libsolv-devel-static-0.7.39-160000.1.1
* python313-solv-debuginfo-0.7.39-160000.1.1
* libzypp-devel-doc-17.38.13-160000.1.1
* libzypp-debuginfo-17.38.13-160000.1.1
* perl-solv-debuginfo-0.7.39-160000.1.1
* libsolv-devel-0.7.39-160000.1.1
* ruby-solv-0.7.39-160000.1.1
* libsolv-debuginfo-0.7.39-160000.1.1
* libzypp-debugsource-17.38.13-160000.1.1
* python313-solv-0.7.39-160000.1.1
* libsolv-demo-debuginfo-0.7.39-160000.1.1
* libsolv-tools-debuginfo-0.7.39-160000.1.1
* libsolv-tools-base-0.7.39-160000.1.1
* libsolv1-debuginfo-0.7.39-160000.1.1
* libsolv-demo-0.7.39-160000.1.1
* zypper-1.14.98-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
* zypper-aptitude-1.14.98-160000.1.1
* zypper-needs-restarting-1.14.98-160000.1.1
* zypper-log-1.14.98-160000.1.1
* SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
* libsolv1-0.7.39-160000.1.1
* libsolv-tools-base-debuginfo-0.7.39-160000.1.1
* libsolv-tools-0.7.39-160000.1.1
* zypper-debuginfo-1.14.98-160000.1.1
* libzypp-17.38.13-160000.1.1
* libsolv-devel-debuginfo-0.7.39-160000.1.1
* perl-solv-0.7.39-160000.1.1
* zypper-debugsource-1.14.98-160000.1.1
* libzypp-devel-17.38.13-160000.1.1
* ruby-solv-debuginfo-0.7.39-160000.1.1
* libsolv-debugsource-0.7.39-160000.1.1
* libsolv-devel-static-0.7.39-160000.1.1
* python313-solv-debuginfo-0.7.39-160000.1.1
* libzypp-devel-doc-17.38.13-160000.1.1
* libzypp-debuginfo-17.38.13-160000.1.1
* perl-solv-debuginfo-0.7.39-160000.1.1
* libsolv-devel-0.7.39-160000.1.1
* ruby-solv-0.7.39-160000.1.1
* libsolv-debuginfo-0.7.39-160000.1.1
* libzypp-debugsource-17.38.13-160000.1.1
* python313-solv-0.7.39-160000.1.1
* libsolv-demo-debuginfo-0.7.39-160000.1.1
* libsolv-tools-debuginfo-0.7.39-160000.1.1
* libsolv-tools-base-0.7.39-160000.1.1
* libsolv1-debuginfo-0.7.39-160000.1.1
* libsolv-demo-0.7.39-160000.1.1
* zypper-1.14.98-160000.1.1
* SUSE Linux Enterprise Server 16.0 (noarch)
* zypper-aptitude-1.14.98-160000.1.1
* zypper-needs-restarting-1.14.98-160000.1.1
* zypper-log-1.14.98-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2026-25707.html
* https://www.suse.com/security/cve/CVE-2026-44933.html
* https://www.suse.com/security/cve/CVE-2026-44941.html
* https://www.suse.com/security/cve/CVE-2026-44942.html
* https://www.suse.com/security/cve/CVE-2026-48863.html
* https://www.suse.com/security/cve/CVE-2026-9149.html
* https://www.suse.com/security/cve/CVE-2026-9150.html
* https://bugzilla.suse.com/show_bug.cgi?id=1239718
* https://bugzilla.suse.com/show_bug.cgi?id=1246504
* https://bugzilla.suse.com/show_bug.cgi?id=1253193
* https://bugzilla.suse.com/show_bug.cgi?id=1259706
* https://bugzilla.suse.com/show_bug.cgi?id=1259802
* https://bugzilla.suse.com/show_bug.cgi?id=1259842
* https://bugzilla.suse.com/show_bug.cgi?id=1265223
* https://bugzilla.suse.com/show_bug.cgi?id=1265935
* https://bugzilla.suse.com/show_bug.cgi?id=1265938
* https://bugzilla.suse.com/show_bug.cgi?id=1266039
* https://bugzilla.suse.com/show_bug.cgi?id=1267426
* https://bugzilla.suse.com/show_bug.cgi?id=1267874
* https://jira.suse.com/browse/PED-13680
* https://jira.suse.com/browse/PED-15607
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260623/7bb2dd7a/attachment.htm>
More information about the sle-security-updates
mailing list