An update for sphinx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1496 Final 1.0 1.0 2022-01-22 Initial 2022-01-22 2022-01-22 openEuler SA Tool V1.0 2022-01-22 sphinx security update An update for sphinx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. Sphinx is a full-text search engine, distributed under GPL version 2. Commercial licensing (e.g. for embedded use) is also available upon request. Generally, it's a standalone search engine, meant to provide fast, size-efficient and relevant full-text search functions to other applications. Sphinx was specially designed to integrate well with SQL databases and scripting languages. Currently built-in data source drivers support fetching data either via direct connection to MySQL, or PostgreSQL, or from a pipe in a custom XML format. Adding new drivers (e.g. native support other DBMSes) is designed to be as easy as possible. Search API native ported to PHP, Python, Perl, Ruby, Java, and also available as a plug-gable MySQL storage engine. API is very lightweight so porting it to new language is known to take a few hours. As for the name, Sphinx is an acronym which is officially decoded as SQL Phrase Index. Yes, I know about CMU's Sphinx project. Security Fix(es): SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). NOTE: this is unrelated to CMUSphinx.(CVE-2020-29050) An update for sphinx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High sphinx https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1496 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2020-29050 https://nvd.nist.gov/vuln/detail/CVE-2020-29050 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 libsphinxclient-devel-2.2.11-2.oe1.aarch64.rpm sphinx-php-2.2.11-2.oe1.aarch64.rpm libsphinxclient-2.2.11-2.oe1.aarch64.rpm sphinx-debuginfo-2.2.11-2.oe1.aarch64.rpm sphinx-2.2.11-2.oe1.aarch64.rpm sphinx-java-2.2.11-2.oe1.aarch64.rpm sphinx-debugsource-2.2.11-2.oe1.aarch64.rpm libsphinxclient-2.2.11-2.oe1.aarch64.rpm sphinx-debugsource-2.2.11-2.oe1.aarch64.rpm sphinx-java-2.2.11-2.oe1.aarch64.rpm sphinx-2.2.11-2.oe1.aarch64.rpm sphinx-debuginfo-2.2.11-2.oe1.aarch64.rpm libsphinxclient-devel-2.2.11-2.oe1.aarch64.rpm sphinx-php-2.2.11-2.oe1.aarch64.rpm sphinx-java-2.2.11-2.oe1.aarch64.rpm sphinx-debugsource-2.2.11-2.oe1.aarch64.rpm sphinx-debuginfo-2.2.11-2.oe1.aarch64.rpm sphinx-2.2.11-2.oe1.aarch64.rpm libsphinxclient-2.2.11-2.oe1.aarch64.rpm sphinx-php-2.2.11-2.oe1.aarch64.rpm libsphinxclient-devel-2.2.11-2.oe1.aarch64.rpm sphinx-help-2.2.11-2.oe1.noarch.rpm sphinx-help-2.2.11-2.oe1.noarch.rpm sphinx-help-2.2.11-2.oe1.noarch.rpm sphinx-2.2.11-2.oe1.src.rpm sphinx-2.2.11-2.oe1.src.rpm sphinx-2.2.11-2.oe1.src.rpm sphinx-php-2.2.11-2.oe1.x86_64.rpm sphinx-debugsource-2.2.11-2.oe1.x86_64.rpm sphinx-2.2.11-2.oe1.x86_64.rpm sphinx-java-2.2.11-2.oe1.x86_64.rpm libsphinxclient-devel-2.2.11-2.oe1.x86_64.rpm sphinx-debuginfo-2.2.11-2.oe1.x86_64.rpm libsphinxclient-2.2.11-2.oe1.x86_64.rpm sphinx-php-2.2.11-2.oe1.x86_64.rpm sphinx-debuginfo-2.2.11-2.oe1.x86_64.rpm libsphinxclient-2.2.11-2.oe1.x86_64.rpm sphinx-java-2.2.11-2.oe1.x86_64.rpm libsphinxclient-devel-2.2.11-2.oe1.x86_64.rpm sphinx-2.2.11-2.oe1.x86_64.rpm sphinx-debugsource-2.2.11-2.oe1.x86_64.rpm sphinx-2.2.11-2.oe1.x86_64.rpm sphinx-debugsource-2.2.11-2.oe1.x86_64.rpm sphinx-java-2.2.11-2.oe1.x86_64.rpm sphinx-php-2.2.11-2.oe1.x86_64.rpm libsphinxclient-2.2.11-2.oe1.x86_64.rpm sphinx-debuginfo-2.2.11-2.oe1.x86_64.rpm libsphinxclient-devel-2.2.11-2.oe1.x86_64.rpm SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). NOTE: this is unrelated to CMUSphinx. 2022-01-22 CVE-2020-29050 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N sphinx security update 2022-01-22 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1496