Security update for libzypp, libsolv

Announcement ID:	SUSE-SU-2026:21988-1
Release Date:	2026-06-02T15:05:07Z
Rating:	important
References:	bsc#1259802 bsc#1265935 bsc#1265938 bsc#1266039
Cross-References:	CVE-2026-25707 CVE-2026-48863 CVE-2026-9149 CVE-2026-9150
CVSS scores:	CVE-2026-25707 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2026-48863 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-48863 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-9149 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-9149 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-9149 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-9150 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-9150 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Micro 6.0

An update that solves four vulnerabilities can now be installed.

Description:

This update for libzypp, libsolv fixes the following issues:

libsolv was updated to 0.7.39:

• fix solv_chksum_free segfault when called with a NULL pointer
• made repo_add_solv more robust against corrupt files [bsc#1265935] [CVE-2026-9149]
• fix potential buffer overflow when verifying EdDSA signatures [bsc#1266039] [CVE-2026-48863]
• added limit checks in multiple places to catch overflows
• reduce the size of the language id cache
• fixed Debian canon selection
• fixed dbpath detection in repo_rpmdb_librpm
• reduced stack usage in repo page compression (needed for musl)
• Fixed in earlier release: [bsc#1265938] [CVE-2026-9150]
• fix parsing of recommends in the old Mandriva synthesis format

libzypp was updated to 17.38.11:

• Fix potential crash on malformed or malicious repository metadata (fixes #740)
• Repo metadata: discard entries referring to a location outside the repo (bsc#1259802, CVE-2026-25707) Mirroring those data locally would refer to a location outside the repo's local cache directory. Those data entries are reported and discarded.
• zypp.conf: Allow [env] section to add environment variables. This feature is designed to enable environment-specific settings or debugging options over an extended period. See zypp.conf(5).

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.0
  zypper in -t patch SUSE-SLE-Micro-6.0-739=1

Package List:

• SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
  • libzypp-debuginfo-17.38.11-1.1
  • libsolv-tools-debuginfo-0.7.39-1.1
  • libsolv-tools-0.7.39-1.1
  • libsolv-debugsource-0.7.39-1.1
  • libzypp-debugsource-17.38.11-1.1
  • libsolv-tools-base-0.7.39-1.1
  • libsolv-tools-base-debuginfo-0.7.39-1.1
  • libzypp-17.38.11-1.1

References:

• https://www.suse.com/security/cve/CVE-2026-25707.html
• https://www.suse.com/security/cve/CVE-2026-48863.html
• https://www.suse.com/security/cve/CVE-2026-9149.html
• https://www.suse.com/security/cve/CVE-2026-9150.html
• https://bugzilla.suse.com/show_bug.cgi?id=1259802
• https://bugzilla.suse.com/show_bug.cgi?id=1265935
• https://bugzilla.suse.com/show_bug.cgi?id=1265938
• https://bugzilla.suse.com/show_bug.cgi?id=1266039