SUSE-SU-2026:21988-1: important: Security update for libzypp, libsolv
SLE-UPDATES
null at suse.de
Fri Jun 5 12:31:32 UTC 2026
# Security update for libzypp, libsolv
Announcement ID: SUSE-SU-2026:21988-1
Release Date: 2026-06-02T15:05:07Z
Rating: important
References:
* bsc#1259802
* bsc#1265935
* bsc#1265938
* bsc#1266039
Cross-References:
* CVE-2026-25707
* CVE-2026-48863
* CVE-2026-9149
* CVE-2026-9150
CVSS scores:
* CVE-2026-25707 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-48863 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-48863 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9150 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9150 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
* SUSE Linux Micro 6.0
An update that solves four vulnerabilities can now be installed.
## Description:
This update for libzypp, libsolv fixes the following issues:
libsolv was updated to 0.7.39:
* fix solv_chksum_free segfault when called with a NULL pointer
* made repo_add_solv more robust against corrupt files [bsc#1265935]
[CVE-2026-9149]
* fix potential buffer overflow when verifying EdDSA signatures [bsc#1266039]
[CVE-2026-48863]
* added limit checks in multiple places to catch overflows
* reduce the size of the language id cache
* fixed Debian canon selection
* fixed dbpath detection in repo_rpmdb_librpm
* reduced stack usage in repo page compression (needed for musl)
* Fixed in earlier release: [bsc#1265938] [CVE-2026-9150]
* fix parsing of recommends in the old Mandriva synthesis format
libzypp was updated to 17.38.11:
* Fix potential crash on malformed or malicious repository metadata (fixes
#740)
* Repo metadata: discard entries referring to a location outside the repo
(bsc#1259802, CVE-2026-25707) Mirroring those data locally would refer to a
location outside the repo's local cache directory. Those data entries are
reported and discarded.
* zypp.conf: Allow [env] section to add environment variables. This feature is
designed to enable environment-specific settings or debugging options over
an extended period. See zypp.conf(5).
## Special Instructions and Notes:
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-739=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* libzypp-debuginfo-17.38.11-1.1
* libsolv-tools-debuginfo-0.7.39-1.1
* libsolv-tools-0.7.39-1.1
* libsolv-debugsource-0.7.39-1.1
* libzypp-debugsource-17.38.11-1.1
* libsolv-tools-base-0.7.39-1.1
* libsolv-tools-base-debuginfo-0.7.39-1.1
* libzypp-17.38.11-1.1
## References:
* https://www.suse.com/security/cve/CVE-2026-25707.html
* https://www.suse.com/security/cve/CVE-2026-48863.html
* https://www.suse.com/security/cve/CVE-2026-9149.html
* https://www.suse.com/security/cve/CVE-2026-9150.html
* https://bugzilla.suse.com/show_bug.cgi?id=1259802
* https://bugzilla.suse.com/show_bug.cgi?id=1265935
* https://bugzilla.suse.com/show_bug.cgi?id=1265938
* https://bugzilla.suse.com/show_bug.cgi?id=1266039
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260605/6f83daa1/attachment.htm>
More information about the sle-updates
mailing list