Till Dörges

**Name of the Vulnerable Software and Affected Versions** libzypp versions prior to August 2018 **Description** The issue concerns the incorrect pinning of GPG keys attached to YUM repositories in libzypp, allowing malicious repository mirrors to silently downgrade to unsigned repositories. This could potentially lead to the distribution of malicious content. **Recommendations** For versions prior to August 2018, ensure that GPG keys are properly pinned to prevent malicious repository mirrors from downgrading to unsigned repositories. As a temporary workaround, consider restricting access to repository mirrors to minimize the risk of exploitation.