{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos8.4els/vex/2018/cve-2018-20534-els_os-centos8_4els.json" } ], "tracking": { "current_release_date": "2026-04-20T16:10:10Z", "generator": { "date": "2026-04-20T16:14:10Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2018-20534-ELS_OS-CENTOS8.4ELS", "initial_release_date": "2018-12-28T16:29:00Z", "revision_history": [ { "date": "2018-12-28T16:29:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-10T19:34:28Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-14T11:41:30Z", "number": "3", "summary": "Update document" }, { "date": "2026-04-20T16:10:10Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" }, "title": "Security update on CVE-2018-20534" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "python3-dnf-0:4.4.2-11.el8.noarch", "product": { "name": "python3-dnf-0:4.4.2-11.el8.noarch", "product_id": "python3-dnf-0:4.4.2-11.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/centos/python3-dnf@4.4.2-11.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 8.4", "product": { "name": "Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:8.4:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" }, { "branches": [ { "category": "product_version", "name": "python3-libdnf-0:0.55.0-7.el8.x86_64", "product": { "name": "python3-libdnf-0:0.55.0-7.el8.x86_64", "product_id": "python3-libdnf-0:0.55.0-7.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/python3-libdnf@0.55.0-7.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch", "product": { "name": "python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch", "product_id": "python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/python3-dnf@4.4.2-11.el8.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64", "product": { "name": "python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64", "product_id": "python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/python3-libdnf@0.55.0-7.el8.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch" }, "product_reference": "python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64" }, "product_reference": "python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-dnf-0:4.4.2-11.el8.noarch as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:python3-dnf-0:4.4.2-11.el8.noarch" }, "product_reference": "python3-dnf-0:4.4.2-11.el8.noarch", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "python3-libdnf-0:0.55.0-7.el8.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.x86_64" }, "product_reference": "python3-libdnf-0:0.55.0-7.el8.x86_64", "relates_to_product_reference": "CentOS-8.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-20534", "cwe": { "id": "CWE-119", "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer" }, "notes": [ { "category": "description", "text": "There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-8.4:python3-dnf-0:4.4.2-11.el8.noarch", "CentOS-8.4:python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch", "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64", "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2018-20534" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00057.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00057.html" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:2290", "url": "https://access.redhat.com/errata/RHSA-2019:2290" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:3583", "url": "https://access.redhat.com/errata/RHSA-2019:3583" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=1652604", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1652604" }, { "category": "external", "summary": "https://bugzilla.suse.com/show_bug.cgi?id=1120631", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1120631" }, { "category": "external", "summary": "https://github.com/openSUSE/libsolv/pull/291", "url": "https://github.com/openSUSE/libsolv/pull/291" }, { "category": "external", "summary": "https://usn.ubuntu.com/3916-1/", "url": "https://usn.ubuntu.com/3916-1/" } ], "release_date": "2018-12-28T16:29:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Deprioritize: the flaw is confined to libsolv’s test harness code (ext/testcase.c) and test utility, not the production libsolv library used by package managers. Exploitation would require a user to run the test program with crafted input, and the only effect is a crash of that non-production process (availability-only) with no confidentiality or integrity impact. Because the affected code is not part of any network-exposed or normally invoked runtime component on servers/VMs, there is no realistic remote attack path.", "product_ids": [ "CentOS-8.4:python3-dnf-0:4.4.2-11.el8.noarch", "CentOS-8.4:python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch", "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64", "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.x86_64" ] }, { "category": "no_fix_planned", "details": "This issue is confined to libsolv’s test harness (ext/testcase.c) and requires executing test utilities (e.g., testsolv) with crafted testcase files, making it unreachable via the library APIs used by package managers in production. Even if triggered, the effect is limited to a denial‑of‑service crash of the test tool with no confidentiality or integrity impact. In enterprise server/VM environments where test suites are not executed in production, the practical risk is negligible, so this CVE can be safely deprioritized.", "product_ids": [ "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64", "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0" }, "products": [ "CentOS-8.4:python3-dnf-0:4.4.2-11.el8.noarch", "CentOS-8.4:python3-dnf-0:4.4.2-11.el8.tuxcare.els1.noarch", "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.tuxcare.els1.x86_64", "CentOS-8.4:python3-libdnf-0:0.55.0-7.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }