In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content.
A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libzypp | Opensuse | - (including) | - (including) |
| Libzypp | Ubuntu | artful | * |
| Libzypp | Ubuntu | esm-apps/xenial | * |
| Libzypp | Ubuntu | upstream | * |
| Libzypp | Ubuntu | xenial | * |
| Libzypp | Ubuntu | zesty | * |