An update for librepo is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1055 Final 1.0 1.0 2021-03-05 Initial 2021-03-05 2021-03-05 openEuler SA Tool V1.0 2021-03-05 librepo security update An update for librepo is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1. A library providing C and Python (libcURL like) API to downloading repository metadata. Security Fix(es): A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.(CVE-2020-14352) An update for librepo is now available for openEuler-20.03-LTS and openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High librepo https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1055 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-14352 https://nvd.nist.gov/vuln/detail/CVE-2020-14352 openEuler-20.03-LTS openEuler-20.03-LTS-SP1 librepo-debugsource-1.12.0-2.oe1.aarch64.rpm python2-librepo-1.12.0-2.oe1.aarch64.rpm python3-librepo-1.12.0-2.oe1.aarch64.rpm librepo-1.12.0-2.oe1.aarch64.rpm librepo-debuginfo-1.12.0-2.oe1.aarch64.rpm librepo-devel-1.12.0-2.oe1.aarch64.rpm librepo-debugsource-1.12.0-2.oe1.aarch64.rpm python2-librepo-1.12.0-2.oe1.aarch64.rpm python3-librepo-1.12.0-2.oe1.aarch64.rpm librepo-1.12.0-2.oe1.aarch64.rpm librepo-debuginfo-1.12.0-2.oe1.aarch64.rpm librepo-devel-1.12.0-2.oe1.aarch64.rpm librepo-1.12.0-2.oe1.src.rpm librepo-1.12.0-2.oe1.src.rpm python2-librepo-1.12.0-2.oe1.x86_64.rpm librepo-debuginfo-1.12.0-2.oe1.x86_64.rpm librepo-1.12.0-2.oe1.x86_64.rpm librepo-debugsource-1.12.0-2.oe1.x86_64.rpm librepo-devel-1.12.0-2.oe1.x86_64.rpm python3-librepo-1.12.0-2.oe1.x86_64.rpm python2-librepo-1.12.0-2.oe1.x86_64.rpm librepo-debuginfo-1.12.0-2.oe1.x86_64.rpm librepo-1.12.0-2.oe1.x86_64.rpm librepo-debugsource-1.12.0-2.oe1.x86_64.rpm librepo-devel-1.12.0-2.oe1.x86_64.rpm python3-librepo-1.12.0-2.oe1.x86_64.rpm A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories. 2021-03-05 CVE-2020-14352 openEuler-20.03-LTS openEuler-20.03-LTS-SP1 High 8.0 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H librepo security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1055