An update for libsolv is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1569 Final 1.0 1.0 2022-03-12 Initial 2022-03-12 2022-03-12 openEuler SA Tool V1.0 2022-03-12 libsolv security update An update for libsolv is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. A free package dependency solver using a satisfiability algorithm. The library is based on two major, but independent, blocks: Security Fix(es): Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service.(CVE-2021-44568) A heap overflow vulnerability exisfts in openSUSE libsolv through 13 Dec 2020 in the prefer_suggested function at src/policy.c: line 442.(CVE-2021-44571) Two heap-overflow vulnerabilities exist in openSUSE libsolv through 13 Dec 2020 bugs in the propagate function at src/solver.c: line 490 and 524.(CVE-2021-44577) Two heap overflow vulnerabilities exist in oenSUSE libsolv through 13 Dec 2020 in the resolve_installed function at src/solver.c: line 1728 & 1766.(CVE-2021-44573) A heap-overflow vulnerability exists in openSUSE libsolv through 13 Dec 2020 in the resolve_jobrules function at src/solver.c at line 1599.(CVE-2021-44574) Two memory vulnerabilities exists in openSUSE libsolv through 13 Dec 2020 in the resolve_weak function at src/solver.c: line 2222 and 2249.(CVE-2021-44576) A heap-buffer openSUSE libsolv through 13 Dec 2020 exists in the solver_solve function at src/solver.c: line 3445.(CVE-2021-44569) Two heap-overflow vulnerabilities exists in openSUSE libsolv through 13 Dec 2020 in the makeruledecisions function at src/solver.c: line 147 and 307.(CVE-2021-44575) An update for libsolv is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High libsolv https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44568 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44571 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44577 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44573 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44574 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44576 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44569 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-44575 https://nvd.nist.gov/vuln/detail/CVE-2021-44568 https://nvd.nist.gov/vuln/detail/CVE-2021-44571 https://nvd.nist.gov/vuln/detail/CVE-2021-44577 https://nvd.nist.gov/vuln/detail/CVE-2021-44573 https://nvd.nist.gov/vuln/detail/CVE-2021-44574 https://nvd.nist.gov/vuln/detail/CVE-2021-44576 https://nvd.nist.gov/vuln/detail/CVE-2021-44569 https://nvd.nist.gov/vuln/detail/CVE-2021-44575 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 libsolv-debuginfo-0.7.14-5.oe1.aarch64.rpm libsolv-0.7.14-5.oe1.aarch64.rpm libsolv-debugsource-0.7.14-5.oe1.aarch64.rpm ruby-solv-0.7.14-5.oe1.aarch64.rpm python3-solv-0.7.14-5.oe1.aarch64.rpm perl-solv-0.7.14-5.oe1.aarch64.rpm libsolv-devel-0.7.14-5.oe1.aarch64.rpm ruby-solv-0.7.14-6.oe1.aarch64.rpm libsolv-debugsource-0.7.14-6.oe1.aarch64.rpm python3-solv-0.7.14-6.oe1.aarch64.rpm libsolv-debuginfo-0.7.14-6.oe1.aarch64.rpm libsolv-0.7.14-6.oe1.aarch64.rpm libsolv-devel-0.7.14-6.oe1.aarch64.rpm perl-solv-0.7.14-6.oe1.aarch64.rpm perl-solv-0.7.14-6.oe1.aarch64.rpm libsolv-debuginfo-0.7.14-6.oe1.aarch64.rpm ruby-solv-0.7.14-6.oe1.aarch64.rpm libsolv-debugsource-0.7.14-6.oe1.aarch64.rpm python3-solv-0.7.14-6.oe1.aarch64.rpm libsolv-devel-0.7.14-6.oe1.aarch64.rpm libsolv-0.7.14-6.oe1.aarch64.rpm libsolv-help-0.7.14-5.oe1.noarch.rpm libsolv-help-0.7.14-6.oe1.noarch.rpm libsolv-help-0.7.14-6.oe1.noarch.rpm libsolv-0.7.14-5.oe1.src.rpm libsolv-0.7.14-6.oe1.src.rpm libsolv-0.7.14-6.oe1.src.rpm libsolv-0.7.14-5.oe1.x86_64.rpm libsolv-debugsource-0.7.14-5.oe1.x86_64.rpm libsolv-devel-0.7.14-5.oe1.x86_64.rpm libsolv-debuginfo-0.7.14-5.oe1.x86_64.rpm perl-solv-0.7.14-5.oe1.x86_64.rpm ruby-solv-0.7.14-5.oe1.x86_64.rpm python3-solv-0.7.14-5.oe1.x86_64.rpm libsolv-devel-0.7.14-6.oe1.x86_64.rpm ruby-solv-0.7.14-6.oe1.x86_64.rpm libsolv-debuginfo-0.7.14-6.oe1.x86_64.rpm python3-solv-0.7.14-6.oe1.x86_64.rpm libsolv-debugsource-0.7.14-6.oe1.x86_64.rpm libsolv-0.7.14-6.oe1.x86_64.rpm perl-solv-0.7.14-6.oe1.x86_64.rpm libsolv-debugsource-0.7.14-6.oe1.x86_64.rpm libsolv-0.7.14-6.oe1.x86_64.rpm libsolv-devel-0.7.14-6.oe1.x86_64.rpm perl-solv-0.7.14-6.oe1.x86_64.rpm libsolv-debuginfo-0.7.14-6.oe1.x86_64.rpm python3-solv-0.7.14-6.oe1.x86_64.rpm ruby-solv-0.7.14-6.oe1.x86_64.rpm Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service. 2022-03-12 CVE-2021-44568 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H libsolv security update 2022-03-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569 A heap overflow vulnerability exisfts in openSUSE libsolv through 13 Dec 2020 in the prefer_suggested function at src/policy.c: line 442. 2022-03-12 CVE-2021-44571 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H libsolv security update 2022-03-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569 Two heap-overflow vulnerabilities exist in openSUSE libsolv through 13 Dec 2020 bugs in the propagate function at src/solver.c: line 490 and 524. 2022-03-12 CVE-2021-44577 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H libsolv security update 2022-03-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569 Two heap overflow vulnerabilities exist in oenSUSE libsolv through 13 Dec 2020 in the resolve_installed function at src/solver.c: line 1728 & 1766. 2022-03-12 CVE-2021-44573 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H libsolv security update 2022-03-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569 A heap-overflow vulnerability exists in openSUSE libsolv through 13 Dec 2020 in the resolve_jobrules function at src/solver.c at line 1599. 2022-03-12 CVE-2021-44574 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H libsolv security update 2022-03-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569 Two memory vulnerabilities exists in openSUSE libsolv through 13 Dec 2020 in the resolve_weak function at src/solver.c: line 2222 and 2249. 2022-03-12 CVE-2021-44576 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H libsolv security update 2022-03-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569 A heap-buffer openSUSE libsolv through 13 Dec 2020 exists in the solver_solve function at src/solver.c: line 3445. 2022-03-12 CVE-2021-44569 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H libsolv security update 2022-03-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569 Two heap-overflow vulnerabilities exists in openSUSE libsolv through 13 Dec 2020 in the makeruledecisions function at src/solver.c: line 147 and 307. 2022-03-12 CVE-2021-44575 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H libsolv security update 2022-03-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1569