CVE-2019-18900

CVE-2019-18900 affects libzypp in SUSE CaaS Platform 3.0 and SUSE Linux Enterprise Server 12/15, where an incorrect default-permissions issue could allow local attackers to read a cookie store used by libzypp and expose private cookies. Affected versions include: SUSE CaaS Platform 3.0 libzypp &l...

CVE-2017-7435

CVE-2017-7435 affects libzypp (before 20170803). The issue allows adding unsigned YUM repositories without user warning, creating a vector for man‑in‑the‑middle or malicious servers to inject unsigned RPMs. Connected advisories show the fix being addressed in SUSE’s libzypp/zypper security update...

CVE-2017-7436

CVE-2017-7436 concerns a flaw in libzypp prior to 20170803 where unsigned packages could be retrieved without a user warning, enabling potential MITM or malicious servers to inject RPMs. The impact described in the accompanying advisories is high (CVE-2017-7436) with risk to package integrity and...

CVE-2017-9269

CVE-2017-9269 affects libzypp; before Aug 2018 GPG keys attached to YUM repositories were not properly pinned, allowing malicious mirrors to downgrade to unsigned repos with potentially malicious content. The issue originates from improper key pinning rather than repository signing verification. ...

CVE-2018-7685

The CVE-2018-7685 issue affects libzypp (and related components) used by openSUSE/SUSE packaging. Description: decoupled download and installation steps in libzypp before 17.5.0 could leave a corrupted RPM in the cache, and a subsequent installation could proceed without displaying the corrupted ...