CVE-2017-7436

libzypp accepts unsigned packages even when configured to check signatures

CVSS 8.1 HIGHEPSS 1.8%

In short

libzypp was accepting unsigned software packages without warning users, allowing attackers to trick people into installing malicious software by intercepting downloads or compromising servers.

Technical detail

libzypp before 20170803 failed to enforce signature verification for RPM packages, allowing unsigned packages to be installed without user notification. The vulnerability enables man-in-the-middle attacks or compromised repositories to deliver malicious packages when signature checks were expected to be active.

Summary generated and translated by AI from the official description.

In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

SUSE · libzypp

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bugzilla.suse.com/show_bug.cgi?id=1038984 https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00002.html https://www.suse.com/de-de/security/cve/CVE-2017-7436/