Your message dated Wed, 27 May 2026 20:50:23 +0200
with message-id <[email protected]>
and subject line Re: Accepted libsolv 0.7.38-1 (source) into unstable
has caused the Debian Bug report #1137373,
regarding libsolv: CVE-2026-9149
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137373: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137373
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsolv
Version: 0.7.37-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/openSUSE/libsolv/pull/617
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libsolv.
CVE-2026-9149[0]:
| A flaw was found in libsolv. This heap buffer overflow vulnerability
| occurs when a victim processes a specially crafted `.solv` file
| containing negative size values in the `repo_add_solv` function.
| This leads to an undersized memory allocation and a subsequent out-
| of-bounds write. An attacker could exploit this to cause a denial of
| service (DoS).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9149
https://www.cve.org/CVERecord?id=CVE-2026-9149
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2460380
[2] https://github.com/openSUSE/libsolv/pull/617
[3]
https://github.com/openSUSE/libsolv/commit/210386037c892a720972ad35a3d8f7073b4d763b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsolv
Source-Version: 0.7.38-1
This fixes #1137373, CVE-2026-9149 but unfortunately it got not
included in the changelog. Closing manually.
Regards,
Salvatore
On Wed, May 27, 2026 at 05:30:42PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Wed, 27 May 2026 13:53:52 +0100
> Source: libsolv
> Architecture: source
> Version: 0.7.38-1
> Distribution: unstable
> Urgency: medium
> Maintainer: RPM packaging team <[email protected]>
> Changed-By: Luca Boccassi <[email protected]>
> Changes:
> libsolv (0.7.38-1) unstable; urgency=medium
> .
> * Update upstream source from tag 'upstream/0.7.38'
> * Stop installing TODO file
> Checksums-Sha1:
> 259f00319273979d4a506388320fbb2f31e384ad 2567 libsolv_0.7.38-1.dsc
> 4406e6e07c46849c4120f8fe5291c41999ec9a28 781506 libsolv_0.7.38.orig.tar.gz
> 42a9e47c10420102367eac2a784df3c310058dab 12364 libsolv_0.7.38-1.debian.tar.xz
> f6aba7d8300a2bd3a22202542438e790ef048fb0 8731
> libsolv_0.7.38-1_source.buildinfo
> Checksums-Sha256:
> 0d4bde5bac7ca04566d1c53da8ce2b8c85c331c9052f9090efd07b7ed989e421 2567
> libsolv_0.7.38-1.dsc
> 08487f070e6178e024a3f36f9d8759e0466dc1d13e30bfe31cab5bbef2fa7be1 781506
> libsolv_0.7.38.orig.tar.gz
> c879d7df44dcd99ced8bdc132715f149dd135539f08d9a52405d0484d256a926 12364
> libsolv_0.7.38-1.debian.tar.xz
> 5c47c1e9ef1161c5562e91f35f3b575c611cef3c3fe2cef60d1fb12489cf5ba5 8731
> libsolv_0.7.38-1_source.buildinfo
> Files:
> a91e971b7341c4a0825698bc9b766b66 2567 admin optional libsolv_0.7.38-1.dsc
> 1ce4b6f07ee8998160cc09ede993dfd3 781506 admin optional
> libsolv_0.7.38.orig.tar.gz
> d9739a78af5653a308bff0ed0b6f7793 12364 admin optional
> libsolv_0.7.38-1.debian.tar.xz
> 6a95f5a211a440d1d5288d1797b9a08d 8731 admin optional
> libsolv_0.7.38-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJFBAEBCgAvFiEErCSqx93EIPGOymuRKGv37813JB4FAmoXJSwRHGJsdWNhQGRl
> Ymlhbi5vcmcACgkQKGv37813JB7l4RAAxK6M+8IR/ye3yvRqXiUvvifndJhAeJo+
> WSBjYpO8VUkeSC9l+VzwSQEPNR/p7OZJp52assyCvfNqnaJZZ7eG1snlijC/xesh
> XDqMBi7PRr78jLSzexFH2dLOb2HepgN5VxVn1hM9nTv/ISPzRTRZxr2/AfMGvGly
> d2EWfsl+e70UCSYLEzbuHxgeLC9gfsrg9ez3fcLkHZfrTZX4TdTEO5cfbJs/W4c5
> bO3PyAzQ6SxWM1uWzhqPVdIN33NqlKvFnjFHT+kUjJXVlxqFj5sIEXm0eZoDctkl
> g+VAGlaM4AzJwv+TEdHULSsNFjoMFKykktotb+ih8YLvvt06RP27Y1fXefgGphvv
> TqIinUopbD/M50CwviDss9xK0QYKMKi58n1TvEcg+NIPLVud4Ml73+9dJma2RILE
> NcBBFVT7VgfNeLx30D4rn3o7OJmlmge+XNzD+4lZyo7yP2u2i37znguRlgmurQOT
> ZCXgTK8GnQmEKouoiIL9iU6vPLEBUSbjDRAHCApsVdzmVPjiTiZZMzxBFUT5oCtm
> NW7VY9N3hOQIr5v1tJGPRP8/8IHzzp/BHQL7uiZwbd9plF6ZAoYB9DCsTvy9wLw/
> /dNGyOG2+q3Yxrgcv6zy3vlCx7q5jNu6tl6DQBFvlmlCYDCZsU6xtiXSmNxL0lGE
> uX1W54gIt+0=
> =Nw6E
> -----END PGP SIGNATURE-----
--- End Message ---
