An update for lapack is now available for openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1947 Final 1.0 1.0 2022-09-23 Initial 2022-09-23 2022-09-23 openEuler SA Tool V1.0 2022-09-23 lapack security update An update for lapack is now available for openEuler-20.03-LTS-SP3. LAPACK (Linear Algebra PACKage) is a standard library for numerical linear algebra. LAPACK provides routines for solving systems of simultaneous linear equations, least-squares solutions of linear systems of equations, eigenvalue problems, and singular value problems. Associated matrix factorizations (LU, Cholesky, QR, SVD,Schur, and generalized Schur) and related computations (i.e.,reordering of Schur factorizations and estimating condition numbers)are also included. LAPACK can handle dense and banded matrices, but not general sparse matrices. Similar functionality is provided for real and complex matrices in both single and double precision. LAPACK is coded in Fortran90 and built with gcc. Security Fix(es): An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.(CVE-2021-4048) An update for lapack is now available for openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium lapack https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1947 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-4048 https://nvd.nist.gov/vuln/detail/CVE-2021-4048 openEuler-20.03-LTS-SP3 lapack-3.9.0-6.oe1.aarch64.rpm lapack-help-3.9.0-6.oe1.aarch64.rpm lapack-devel-3.9.0-6.oe1.aarch64.rpm lapack-3.9.0-6.oe1.src.rpm lapack-3.9.0-6.oe1.x86_64.rpm lapack-help-3.9.0-6.oe1.x86_64.rpm lapack-devel-3.9.0-6.oe1.x86_64.rpm An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory. 2022-09-23 CVE-2021-4048 openEuler-20.03-LTS-SP3 Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H lapack security update 2022-09-23 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1947