[SECURITY] [DLA 2088-1] libsolv security update

2020-01-3018:03:13

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

55.2%

JSON

Package : libsolv
Version : 0.6.5-1+deb8u1
CVE ID : CVE-2019-20387
Debian Bug : 949611

repodata_schema2id in repodata.c in libsolv, a dependency solver library,
had a heap-based buffer over-read via a last schema whose length could be
less than the length of the input schema.

For Debian 8 "Jessie", this problem has been fixed in version
0.6.5-1+deb8u1.

We recommend that you upgrade your libsolv packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

–

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net

Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian10amd64libsolvext0-dbgsym< 0.6.35-2+deb10u1libsolvext0-dbgsym_0.6.35-2+deb10u1_amd64.deb
Debian9alllibsolv< 0.6.24-1+deb9u2libsolv_0.6.24-1+deb9u2_all.deb
Debian9armhfpython3-solv< 0.6.24-1+deb9u2python3-solv_0.6.24-1+deb9u2_armhf.deb
Debian10mipslibsolv0< 0.6.35-2+deb10u1libsolv0_0.6.35-2+deb10u1_mips.deb
Debian8armhflibsolv0-dev< 0.6.5-1+deb8u1libsolv0-dev_0.6.5-1+deb8u1_armhf.deb
Debian9mips64ellibsolv-perl-dbgsym< 0.6.24-1+deb9u2libsolv-perl-dbgsym_0.6.24-1+deb9u2_mips64el.deb
Debian10armellibsolv0-dbgsym< 0.6.35-2+deb10u1libsolv0-dbgsym_0.6.35-2+deb10u1_armel.deb
Debian10armellibsolv-tools< 0.6.35-2+deb10u1libsolv-tools_0.6.35-2+deb10u1_armel.deb
Debian10amd64libsolv-perl< 0.6.35-2+deb10u1libsolv-perl_0.6.35-2+deb10u1_amd64.deb
Debian9i386libsolv-perl< 0.6.24-1+deb9u2libsolv-perl_0.6.24-1+deb9u2_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	amd64	libsolvext0-dbgsym	< 0.6.35-2+deb10u1	libsolvext0-dbgsym_0.6.35-2+deb10u1_amd64.deb
Debian	9	all	libsolv	< 0.6.24-1+deb9u2	libsolv_0.6.24-1+deb9u2_all.deb
Debian	9	armhf	python3-solv	< 0.6.24-1+deb9u2	python3-solv_0.6.24-1+deb9u2_armhf.deb
Debian	10	mips	libsolv0	< 0.6.35-2+deb10u1	libsolv0_0.6.35-2+deb10u1_mips.deb
Debian	8	armhf	libsolv0-dev	< 0.6.5-1+deb8u1	libsolv0-dev_0.6.5-1+deb8u1_armhf.deb
Debian	9	mips64el	libsolv-perl-dbgsym	< 0.6.24-1+deb9u2	libsolv-perl-dbgsym_0.6.24-1+deb9u2_mips64el.deb
Debian	10	armel	libsolv0-dbgsym	< 0.6.35-2+deb10u1	libsolv0-dbgsym_0.6.35-2+deb10u1_armel.deb
Debian	10	armel	libsolv-tools	< 0.6.35-2+deb10u1	libsolv-tools_0.6.35-2+deb10u1_armel.deb
Debian	10	amd64	libsolv-perl	< 0.6.35-2+deb10u1	libsolv-perl_0.6.35-2+deb10u1_amd64.deb
Debian	9	i386	libsolv-perl	< 0.6.24-1+deb9u2	libsolv-perl_0.6.24-1+deb9u2_i386.deb