256 matches found
Code injection
In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content...
CVE-2017-7436
In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
CVE-2017-7435
In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
UBUNTU-CVE-2017-7436
In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
CVE-2017-7435
In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
DEBIAN-CVE-2017-7435
In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
DEBIAN-CVE-2017-9269
In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content...
DEBIAN-CVE-2017-7436
In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
CVE-2017-9269
CVE-2017-9269 affects libzypp; before Aug 2018 GPG keys attached to YUM repositories were not properly pinned, allowing malicious mirrors to downgrade to unsigned repos with potentially malicious content. The issue originates from improper key pinning rather than repository signing verification. ...
CVE-2017-7436 libzypp accepts unsigned packages even when configured to check signatures
In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
CVE-2017-7436
CVE-2017-7436 concerns a flaw in libzypp prior to 20170803 where unsigned packages could be retrieved without a user warning, enabling potential MITM or malicious servers to inject RPMs. The impact described in the accompanying advisories is high (CVE-2017-7436) with risk to package integrity and...
CVE-2017-9269 lack of keypinning in libzypp could lead to repository switching
In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content...
CVE-2017-7435
CVE-2017-7435 affects libzypp (before 20170803). The issue allows adding unsigned YUM repositories without user warning, creating a vector for man‑in‑the‑middle or malicious servers to inject unsigned RPMs. Connected advisories show the fix being addressed in SUSE’s libzypp/zypper security update...
CVE-2017-7435 libzypp accepts unsigned 3rd party repo without warning
In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
CVE-2017-7436
In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system...
CVE-2017-9269
In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content...
openSUSE: Security Advisory for libzypp (openSUSE-SU-2017:2370-1)
The remote host is missing an update for the Copyright C 2017 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
openSUSE Security Update : libzypp / zypper (openSUSE-2017-1009)
The Software Update Stack was updated to receive fixes and enhancements. libzypp : - Adapt to work with GnuPG 2.1.23. bsc1054088 - Support signing with subkeys. bsc1008325 - Enhance sort order for media.1/products. bsc1054671 zypper : - Also show a gpg key's subkeys. bsc1008325 - Improve signatur...
SUSE SLED12 / SLES12 Security Update : libzypp, zypper (SUSE-SU-2017:2344-1)
The Software Update Stack was updated to receive fixes and enhancements. libzypp : - Adapt to work with GnuPG 2.1.23. bsc1054088 - Support signing with subkeys. bsc1008325 - Enhance sort order for media.1/products. bsc1054671 zypper : - Also show a gpg key's subkeys. bsc1008325 - Improve signatur...
openSUSE Security Update : libzypp (openSUSE-2017-989)
The Software Update Stack was updated to receive fixes and enhancements. libzypp : - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. bsc1045735, bsc1038984 - Fix gpg-pubkey release creation time computation. bsc1036659 - Update...