In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content.
{ "binaries": [ { "binary_name": "libzypp", "binary_version": "15.3.0-1build1" }, { "binary_name": "libzypp-bin", "binary_version": "15.3.0-1build1" }, { "binary_name": "libzypp-common", "binary_version": "15.3.0-1build1" }, { "binary_name": "libzypp-config", "binary_version": "15.3.0-1build1" }, { "binary_name": "libzypp-dev", "binary_version": "15.3.0-1build1" } ] }