An update for libdnf is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1224 Final 1.0 1.0 2021-06-22 Initial 2021-06-22 2021-06-22 openEuler SA Tool V1.0 2021-06-22 libdnf security update An update for libdnf is now available for openEuler-20.03-LTS-SP1. A Library providing simplified C and Python API to libsolv. Security Fix(es): A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3445) An update for libdnf is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High libdnf https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1224 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-3445 https://nvd.nist.gov/vuln/detail/CVE-2021-3445 openEuler-20.03-LTS-SP1 python3-hawkey-0.48.0-2.oe1.aarch64.rpm libdnf-devel-0.48.0-2.oe1.aarch64.rpm python2-libdnf-0.48.0-2.oe1.aarch64.rpm libdnf-debuginfo-0.48.0-2.oe1.aarch64.rpm python3-libdnf-0.48.0-2.oe1.aarch64.rpm libdnf-debugsource-0.48.0-2.oe1.aarch64.rpm libdnf-0.48.0-2.oe1.aarch64.rpm python2-hawkey-0.48.0-2.oe1.aarch64.rpm libdnf-0.48.0-2.oe1.src.rpm libdnf-devel-0.48.0-2.oe1.x86_64.rpm python2-hawkey-0.48.0-2.oe1.x86_64.rpm python3-hawkey-0.48.0-2.oe1.x86_64.rpm libdnf-debuginfo-0.48.0-2.oe1.x86_64.rpm python3-libdnf-0.48.0-2.oe1.x86_64.rpm libdnf-debugsource-0.48.0-2.oe1.x86_64.rpm libdnf-0.48.0-2.oe1.x86_64.rpm python2-libdnf-0.48.0-2.oe1.x86_64.rpm A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability. 2021-06-22 CVE-2021-3445 openEuler-20.03-LTS-SP1 High 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H libdnf security update 2021-06-22 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1224