{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"lapack security update", "category":"general", "title":"Synopsis" }, { "text":"An update for lapack is now available for openEuler-20.03-LTS-SP3.", "category":"general", "title":"Summary" }, { "text":"LAPACK (Linear Algebra PACKage) is a standard library for numerical linear algebra. LAPACK provides routines for solving systems of simultaneous linear equations, least-squares solutions of linear systems of equations, eigenvalue problems, and singular value problems. Associated matrix factorizations (LU, Cholesky, QR, SVD,Schur, and generalized Schur) and related computations (i.e.,reordering of Schur factorizations and estimating condition numbers)are also included. LAPACK can handle dense and banded matrices, but not general sparse matrices. Similar functionality is provided for real and complex matrices in both single and double precision. LAPACK is coded in Fortran90 and built with gcc.\n\nSecurity Fix(es):\n\nAn out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.(CVE-2021-4048)", "category":"general", "title":"Description" }, { "text":"An update for lapack is now available for openEuler-20.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"lapack", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2022-1947", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1947" }, { "summary":"CVE-2021-4048", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2021-4048&packageName=lapack" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4048" }, { "summary":"openEuler-SA-2022-1947 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2022/csaf-openeuler-sa-2022-1947.json" } ], "title":"An update for lapack is now available for openEuler-20.03-LTS-SP3", "tracking":{ "initial_release_date":"2022-09-23T09:45:46+08:00", "revision_history":[ { "date":"2022-09-23T09:45:46+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:45:46+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:45:46+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:45:46+08:00", "id":"openEuler-SA-2022-1947", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"openEuler-20.03-LTS-SP3", "name":"openEuler-20.03-LTS-SP3" }, "name":"openEuler-20.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"lapack-3.9.0-6.oe1.aarch64.rpm(20.03-LTS-SP3)", "name":"lapack-3.9.0-6.oe1.aarch64.rpm" }, "name":"lapack-3.9.0-6.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"lapack-help-3.9.0-6.oe1.aarch64.rpm(20.03-LTS-SP3)", "name":"lapack-help-3.9.0-6.oe1.aarch64.rpm" }, "name":"lapack-help-3.9.0-6.oe1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"lapack-devel-3.9.0-6.oe1.aarch64.rpm(20.03-LTS-SP3)", "name":"lapack-devel-3.9.0-6.oe1.aarch64.rpm" }, "name":"lapack-devel-3.9.0-6.oe1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"lapack-3.9.0-6.oe1.src.rpm(20.03-LTS-SP3)", "name":"lapack-3.9.0-6.oe1.src.rpm" }, "name":"lapack-3.9.0-6.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"lapack-3.9.0-6.oe1.x86_64.rpm(20.03-LTS-SP3)", "name":"lapack-3.9.0-6.oe1.x86_64.rpm" }, "name":"lapack-3.9.0-6.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"lapack-help-3.9.0-6.oe1.x86_64.rpm(20.03-LTS-SP3)", "name":"lapack-help-3.9.0-6.oe1.x86_64.rpm" }, "name":"lapack-help-3.9.0-6.oe1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"lapack-devel-3.9.0-6.oe1.x86_64.rpm(20.03-LTS-SP3)", "name":"lapack-devel-3.9.0-6.oe1.x86_64.rpm" }, "name":"lapack-devel-3.9.0-6.oe1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"lapack-3.9.0-6.oe1.aarch64.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.aarch64", "name":"lapack-3.9.0-6.oe1.aarch64 as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"lapack-help-3.9.0-6.oe1.aarch64.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:lapack-help-3.9.0-6.oe1.aarch64", "name":"lapack-help-3.9.0-6.oe1.aarch64 as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"lapack-devel-3.9.0-6.oe1.aarch64.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:lapack-devel-3.9.0-6.oe1.aarch64", "name":"lapack-devel-3.9.0-6.oe1.aarch64 as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"lapack-3.9.0-6.oe1.src.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.src", "name":"lapack-3.9.0-6.oe1.src as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"lapack-3.9.0-6.oe1.x86_64.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.x86_64", "name":"lapack-3.9.0-6.oe1.x86_64 as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"lapack-help-3.9.0-6.oe1.x86_64.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:lapack-help-3.9.0-6.oe1.x86_64", "name":"lapack-help-3.9.0-6.oe1.x86_64 as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"lapack-devel-3.9.0-6.oe1.x86_64.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:lapack-devel-3.9.0-6.oe1.x86_64", "name":"lapack-devel-3.9.0-6.oe1.x86_64 as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-4048", "notes":[ { "text":"An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-help-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-devel-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.src", "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.x86_64", "openEuler-20.03-LTS-SP3:lapack-help-3.9.0-6.oe1.x86_64", "openEuler-20.03-LTS-SP3:lapack-devel-3.9.0-6.oe1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-help-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-devel-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.src", "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.x86_64", "openEuler-20.03-LTS-SP3:lapack-help-3.9.0-6.oe1.x86_64", "openEuler-20.03-LTS-SP3:lapack-devel-3.9.0-6.oe1.x86_64" ], "details":"lapack security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1947" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.9, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-help-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-devel-3.9.0-6.oe1.aarch64", "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.src", "openEuler-20.03-LTS-SP3:lapack-3.9.0-6.oe1.x86_64", "openEuler-20.03-LTS-SP3:lapack-help-3.9.0-6.oe1.x86_64", "openEuler-20.03-LTS-SP3:lapack-devel-3.9.0-6.oe1.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2021-4048" } ] }