An update for libsass is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1049 Final 1.0 1.0 2024-01-12 Initial 2024-01-12 2024-01-12 openEuler SA Tool V1.0 2024-01-12 libsass security update An update for libsass is now available for openEuler-22.03-LTS-SP3. Libsass is a Sass CSS precompiler which is ported for C/C++. This version is more efficient and portable than the original Ruby version. Keeping light and sample is its degisn philosophy which makes it more easier to be built and integrated with a immense amount of platforms and languages. Installation of saccs is needed if you want to run is directly as libsass is just a library. Security Fix(es): Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector::has_real_parent_ref function.(CVE-2022-26592) Stack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2.(CVE-2022-43357) Stack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS).(CVE-2022-43358) An update for libsass is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High libsass https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1049 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-26592 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-43357 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-43358 https://nvd.nist.gov/vuln/detail/CVE-2022-26592 https://nvd.nist.gov/vuln/detail/CVE-2022-43357 https://nvd.nist.gov/vuln/detail/CVE-2022-43358 openEuler-22.03-LTS-SP3 libsass-debugsource-3.6.4-2.oe2203sp3.aarch64.rpm libsass-3.6.4-2.oe2203sp3.aarch64.rpm libsass-devel-3.6.4-2.oe2203sp3.aarch64.rpm libsass-debuginfo-3.6.4-2.oe2203sp3.aarch64.rpm libsass-3.6.4-2.oe2203sp3.src.rpm libsass-debuginfo-3.6.4-2.oe2203sp3.x86_64.rpm libsass-debugsource-3.6.4-2.oe2203sp3.x86_64.rpm libsass-devel-3.6.4-2.oe2203sp3.x86_64.rpm libsass-3.6.4-2.oe2203sp3.x86_64.rpm Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector::has_real_parent_ref function. 2024-01-12 CVE-2022-26592 openEuler-22.03-LTS-SP3 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H libsass security update 2024-01-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1049 Stack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2. 2024-01-12 CVE-2022-43357 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H libsass security update 2024-01-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1049 Stack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS). 2024-01-12 CVE-2022-43358 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H libsass security update 2024-01-12 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1049