SUSE-SU-2026:2531-1: important: Security update for libsolv, libzypp, zypper
SLE-UPDATES
null at suse.de
Tue Jun 23 16:46:44 UTC 2026
# Security update for libsolv, libzypp, zypper
Announcement ID: SUSE-SU-2026:2531-1
Release Date: 2026-06-23T10:25:42Z
Rating: important
References:
* bsc#1158038
* bsc#1239718
* bsc#1246504
* bsc#1247948
* bsc#1249435
* bsc#1252744
* bsc#1253193
* bsc#1253740
* bsc#1257068
* bsc#1257882
* bsc#1258193
* bsc#1259311
* bsc#1259706
* bsc#1259802
* bsc#1259842
* bsc#1265223
* bsc#1265935
* bsc#1265938
* bsc#1266039
* bsc#1267426
* bsc#1267874
* jsc#PED-13680
* jsc#PED-14658
* jsc#PED-15607
Cross-References:
* CVE-2026-25707
* CVE-2026-44933
* CVE-2026-44941
* CVE-2026-44942
* CVE-2026-48863
* CVE-2026-9149
* CVE-2026-9150
CVSS scores:
* CVE-2026-25707 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2026-44933 ( SUSE ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-44933 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-44933 ( NVD ): 8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-44933 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2026-44941 ( SUSE ): 7.5
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2026-44941 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-44942 ( SUSE ): 6.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-44942 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-44942 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-48863 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-48863 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9149 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9150 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-9150 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
* Basesystem Module 15-SP7
* Development Tools Module 15-SP7
* Python 3 Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
An update that solves seven vulnerabilities, contains three features and has 14
security fixes can now be installed.
## Description:
This update for libsolv, libzypp, zypper fixes the following issues
* CVE-2026-9149: Heap buffer overflow in libsolv repo_add_solv via negative
maxsize from crafted .solv file (bsc#1265935).
* CVE-2026-9150: Stack-based buffer overflow in libsolv's Debian metadata
parser when handling SHA384/SHA512 checksums (bsc#1265938).
* CVE-2026-25707: Handcrafted repo metadata may cause arbitrary local files to
be overwritten (bsc#1259802).
* CVE-2026-44933: scan of the Mandatory signature verification plugin support
(bsc#1265223).
* CVE-2026-44941: path traversal via "keyhint" (bsc#1267426).
* CVE-2026-44942: .repo files can have an optional path which can lead to path
traversal attacks (bsc#1267874).
* CVE-2026-48863: Fix buffer overflow when parsing EdDSA signature
(bsc#1266039).
Changes in libzypp:
Updated to version 17.38.13 (35):
* A .repo files "path=" entry must not refer to a location outside the repo
(bsc#1267874, CVE-2026-44942) A "path=" entry may solely denote a sub-
directory of the baseurl where the metadata are located. A relative path
trying to access data outside the baseurl is reported and sanitized.
* Fix potential crash on malformed or malicious repository metadata (fixes
#740)
* Repo metadata: discard entries referring to a location outside the repo
(bsc#1259802, CVE-2026-25707) Mirroring those data locally would refer to a
location outside the repo's local cache directory. Those data entries are
reported and discarded.
* zypp.conf: Allow [env] section to add environment variables. This feature is
designed to enable environment-specific settings or debugging options over
an extended period. See zypp.conf(5).
* Prevent configured scripts from escaping the sigcheck directory
(bsc#1265223, CVE-2026-44933)
* StringV: guard hasPrefix/hasPrefixCI against reading past the view end
(fixes #735)
* Mandatory signature verification plugin support (PED#11922)
* Fix purge-kernel -rc kernel handling (bsc#1239718)
* Explicitly_set_pool_DISTTYPE_RPM (fixes #726)
* Check for trusted key updates when updating the general keyring
(bsc#1259706)
* Support multiple MirroredOrigin authorities (bsc#1253193)
* Workaround doxygen bug: doxygen/doxygen#12057
* libzypp.spec: Add missing graphviz-gd BuildRequires (boo#1259842)
* Fix preloader not caching packages from arch specific subrepos (bsc#1253740)
* Deprioritize invalid mirrors (fixes openSUSE/zypper#636)
* Fix Product::referencePackage lookup (bsc#1259311) Use a provided
autoproduct() as hint to the package name of the release package. It might
be that not just multiple versions of the same release package provide the
same product version, but also different release packages.
* specfile: on fedora use %{_prefix}/share as zyppconfdir if %{_distconfdir}
is undefined (fixes #693) This will set '-DZYPPCONFDIR=%{zyppconfdir}' for
cmake.
* Fall back to a writable location when precaching packages without root
(bsc#1247948)
* Prepare a legacy /etc/zypp/zypp.conf to be installed on old distros. See the
ZYPP.CONF(5) man page for details.
* Fix runtime check for broken rpm --runposttrans (bsc#1257068)
* Avoid libcurl-mini4 when building as it does not support ftp protocol.
* Translation: updated .pot file.
* zypp.conf: follow the UAPI configuration file specification (PED-14658) In
short terms it means we will no longer ship an /etc/zypp/zypp.conf, but
store our own defaults in /usr/etc/zypp/zypp.conf. The systems administrator
may choose to keep a full copy in /etc/zypp/zypp.conf ignoring our config
file settings completely, or - the preferred way - to overwrite specific
settings via /etc/zypp/zypp.conf.d/*.conf overlay files. See the
ZYPP.CONF(5) man page for details.
* cmake: correctly detect rpm6 (fixes #689)
* Use 'zypp.tmp' as temp directory component to ease setting up SELinux
policies (bsc#1249435)
* zyppng: Update Provider to current MediaCurl2 download approach, drop
Metalink ( fixes #682 )
Changes in libsolv:
Updated to version 0.7.39:
* fix solv_chksum_free segfault when called with a NULL pointer
* made repo_add_solv more robust against corrupt files [bsc#1265935]
[CVE-2026-9149]
* fix potential buffer overflow when verifying EdDSA signatures [bsc#1266039]
[CVE-2026-48863]
* added limit checks in multiple places to catch overflows
* reduce the size of the language id cache
* fixed Debian canon selection
* fixed dbpath detection in repo_rpmdb_librpm
* reduced stack usage in repo page compression (needed for musl)
* fix parsing of sha512 checksums in debian repositories [bsc#1265938]
[CVE-2026-9150]
* improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as
fast
* fix parsing of recommends in the old Mandriva synthesis format
* respect the "default" attribute in environment optionlist in the comps
parser
* support suse namespace deps in boolean dependencies [bsc#1258193]
* support for the Elbrus2000 (e2k) architecture
* support language() suse namespace rewriting
Changes in zypper:
Update to version 1.14.98:
* Transactional systems: Delegate rw-commands to transactional-wrapper if
available (jsc#PED-13680, jsc#PED-15607) On a transactional system where the
root filesystem is mounted read-only, zypper commands that modify the system
cannot be executed directly. If the system provides a transactional-wrapper
utility, zypper will automatically attempt to invoke it. The wrapper
transparently executes the zypper command within a new, writable snapshot
and manages the lifecycle of that snapshot based on the command's exit
status. On transactional systems lacking a transactional-wrapper, users must
manually invoke specialized tools -such as transactional-update- to install,
update, or remove software.
* Add --filter-version-change to zypper lu. Adds filtering by version change
significance to reduce noise in update listings. Supports levels: rebuild
(hides rebuild-only changes) and package (hides all release-only changes).
* Autorefresh ris-services the way as plugin-services (bsc#1246504) It's
actually wrong to treat service refreshes different depending on the service
type. For the purpose of a service it makes no difference how the data about
the repos to use are acquired.
* Report download progress for command line rpms (fixes #613)
* Hint to '-vv ref' to see the mirrors used to download the metadata
(bsc#1257882)
* Service: Allow "zypper ls SERVICE ..." to test whether a service with this
alias is defined (bsc#1252744) The command prints an abstract of all
services passed on the command line. It returns
3-ZYPPER_EXIT_ERR_INVALID_ARGS if some argument does not name an existing
service.
* Keep repo data when updating the service settings (bsc#1252744)
* info: Enhance pattern content table (bsc#1158038) Alternatives (multiple
packages providing the same requirement) are now listed as a single entry in
the content table. The entry shows either the installed package which
satisfies the requirement or the requirement itself as type 'Provides'.
Listing all potential alternatives was miss leading, especially if the
alternatives were mutual exclusive. It looked like an installed pattern had
not-installed requirements and it was not possible to install all
requirements at the same time.
## Special Instructions and Notes:
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* Python 3 Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2026-2531=1
* Basesystem Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2531=1
* Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-2531=1
## Package List:
* Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* python3-solv-debuginfo-0.7.39-150700.11.10.1
* libsolv-tools-debuginfo-0.7.39-150700.11.10.1
* libsolv-tools-base-debuginfo-0.7.39-150700.11.10.1
* libsolv-devel-0.7.39-150700.11.10.1
* libzypp-17.38.13-150700.6.13.1
* zypper-debuginfo-1.14.98-150700.13.6.1
* libzypp-debugsource-17.38.13-150700.6.13.1
* zypper-1.14.98-150700.13.6.1
* libzypp-devel-17.38.13-150700.6.13.1
* libsolv-tools-base-0.7.39-150700.11.10.1
* zypper-debugsource-1.14.98-150700.13.6.1
* ruby-solv-0.7.39-150700.11.10.1
* libsolv-debuginfo-0.7.39-150700.11.10.1
* libsolv-tools-0.7.39-150700.11.10.1
* ruby-solv-debuginfo-0.7.39-150700.11.10.1
* libsolv-devel-debuginfo-0.7.39-150700.11.10.1
* python3-solv-0.7.39-150700.11.10.1
* libsolv-debugsource-0.7.39-150700.11.10.1
* libzypp-debuginfo-17.38.13-150700.6.13.1
* Basesystem Module 15-SP7 (noarch)
* zypper-log-1.14.98-150700.13.6.1
* zypper-needs-restarting-1.14.98-150700.13.6.1
* Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* libsolv-debuginfo-0.7.39-150700.11.10.1
* perl-solv-debuginfo-0.7.39-150700.11.10.1
* libsolv-debugsource-0.7.39-150700.11.10.1
* perl-solv-0.7.39-150700.11.10.1
* Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* python311-solv-0.7.39-150700.11.10.1
## References:
* https://www.suse.com/security/cve/CVE-2026-25707.html
* https://www.suse.com/security/cve/CVE-2026-44933.html
* https://www.suse.com/security/cve/CVE-2026-44941.html
* https://www.suse.com/security/cve/CVE-2026-44942.html
* https://www.suse.com/security/cve/CVE-2026-48863.html
* https://www.suse.com/security/cve/CVE-2026-9149.html
* https://www.suse.com/security/cve/CVE-2026-9150.html
* https://bugzilla.suse.com/show_bug.cgi?id=1158038
* https://bugzilla.suse.com/show_bug.cgi?id=1239718
* https://bugzilla.suse.com/show_bug.cgi?id=1246504
* https://bugzilla.suse.com/show_bug.cgi?id=1247948
* https://bugzilla.suse.com/show_bug.cgi?id=1249435
* https://bugzilla.suse.com/show_bug.cgi?id=1252744
* https://bugzilla.suse.com/show_bug.cgi?id=1253193
* https://bugzilla.suse.com/show_bug.cgi?id=1253740
* https://bugzilla.suse.com/show_bug.cgi?id=1257068
* https://bugzilla.suse.com/show_bug.cgi?id=1257882
* https://bugzilla.suse.com/show_bug.cgi?id=1258193
* https://bugzilla.suse.com/show_bug.cgi?id=1259311
* https://bugzilla.suse.com/show_bug.cgi?id=1259706
* https://bugzilla.suse.com/show_bug.cgi?id=1259802
* https://bugzilla.suse.com/show_bug.cgi?id=1259842
* https://bugzilla.suse.com/show_bug.cgi?id=1265223
* https://bugzilla.suse.com/show_bug.cgi?id=1265935
* https://bugzilla.suse.com/show_bug.cgi?id=1265938
* https://bugzilla.suse.com/show_bug.cgi?id=1266039
* https://bugzilla.suse.com/show_bug.cgi?id=1267426
* https://bugzilla.suse.com/show_bug.cgi?id=1267874
* https://jira.suse.com/browse/PED-13680
* https://jira.suse.com/browse/PED-14658
* https://jira.suse.com/browse/PED-15607
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260623/1dfd6d4b/attachment.htm>
More information about the sle-updates
mailing list