openSUSE-SU-2018:2739-1: important: Security update for libzypp, zypper


openSUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:2739-1
Rating: important
References: #1036304 #1041178 #1043166 #1045735 #1058515
#1066215 #1070770 #1070851 #1082318 #1084525
#1088037 #1088705 #1091624 #1092413 #1093103
#1096217 #1096617 #1096803 #1099847 #1100028
#1100095 #1100427 #1101349 #1102019 #1102429
#408814 #428822 #907538
Cross-References: CVE-2017-9269 CVE-2018-7685
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves two vulnerabilities and has 26 fixes
is now available.

Description:

This update for libzypp, zypper, libsolv provides the following fixes:

Security fixes in libzypp:

– CVE-2018-7685: PackageProvider: Validate RPMs before caching
(bsc#1091624, bsc#1088705)
– CVE-2017-9269: Be sure bad packages do not stay in the cache
(bsc#1045735)

Changes in libzypp:

– Update to version 17.6.4
– Automatically fetch repository signing key from gpgkey url (bsc#1088037)
– lsof: use ‘-K i’ if lsof supports it (bsc#1099847,bsc#1036304)
– Check for not imported keys after multi key import from rpmdb
(bsc#1096217)
– Flags: make it std=c++14 ready
– Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
– Show GPGME version in log
– Adapt to changes in libgpgme11-11.1.0 breaking the signature
verification (bsc#1100427)
– RepoInfo::provideKey: add report telling where we look for missing keys.
– Support listing gpgkey URLs in repo files (bsc#1088037)
– Add new report to request user approval for importing a package key
– Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
– Add filesize check for downloads with known size (bsc#408814)
– Removed superfluous space in translation (bsc#1102019)
– Prevent the system from sleeping during a commit
– RepoManager: Explicitly request repo2solv to generate application pseudo
packages.
– libzypp-devel should not require cmake (bsc#1101349)
– Avoid zombies from ExternalProgram
– Update ApiConfig
– HardLocksFile: Prevent against empty commit without Target having been
been loaded (bsc#1096803)
– lsof: use ‘-K i’ if lsof supports it (bsc#1099847)
– Add filesize check for downloads with known size (bsc#408814)
– Fix detection of metalink downloads and prevent aborting if a metalink
file is larger than the expected data file.
– Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
– Make use of %license macro (bsc#1082318)

Security fix in zypper:

– CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

Changes in zypper:

– Always set error status if any nr of unknown repositories are passed to
lr and ref (bsc#1093103)
– Notify user about unsupported rpm V3 keys in an old rpm database
(bsc#1096217)
– Detect read only filesystem on system modifying operations (fixes #199)
– Use %license (bsc#1082318)
– Handle repo aliases containing multiple ‘:’ in the PackageArgs parser
(bsc #1041178)
– Fix broken display of detailed query results.
– Fix broken search for items with a dash. (bsc#907538, bsc#1043166,
bsc#1070770)
– Disable repository operations when searching installed packages.
(bsc#1084525)
– Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
– ansi.h: Prevent ESC sequence strings from going out of scope.
(bsc#1092413)
– Fix some translation errors.
– Support listing gpgkey URLs in repo files (bsc#1088037)
– Check for root privileges in zypper verify and si (bsc#1058515)
– XML attribute `packages-to-change` added (bsc#1102429)
– Add expert (allow-*) options to all installer commands (bsc#428822)
– Sort search results by multiple columns (bsc#1066215)
– man: Strengthen that `–config FILE’ affects zypper.conf, not zypp.conf
(bsc#1100028)
– Set error status if repositories passed to lr and ref are not known
(bsc#1093103)
– Do not override table style in search
– Fix out of bound read in MbsIterator
– Add –supplements switch to search and info
– Add setter functions for zypp cache related config values to ZConfig

Changes in libsolv:

– convert repo2solv.sh script into a binary tool
– Make use of %license macro (bsc#1082318)

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1017=1

Package List:

– openSUSE Leap 15.0 (x86_64):

libsolv-debuginfo-0.6.35-lp150.2.3.1
libsolv-debugsource-0.6.35-lp150.2.3.1
libsolv-demo-0.6.35-lp150.2.3.1
libsolv-demo-debuginfo-0.6.35-lp150.2.3.1
libsolv-devel-0.6.35-lp150.2.3.1
libsolv-devel-debuginfo-0.6.35-lp150.2.3.1
libsolv-tools-0.6.35-lp150.2.3.1
libsolv-tools-debuginfo-0.6.35-lp150.2.3.1
libzypp-17.6.4-lp150.2.3.1
libzypp-debuginfo-17.6.4-lp150.2.3.1
libzypp-debugsource-17.6.4-lp150.2.3.1
libzypp-devel-17.6.4-lp150.2.3.1
libzypp-devel-doc-17.6.4-lp150.2.3.1
perl-solv-0.6.35-lp150.2.3.1
perl-solv-debuginfo-0.6.35-lp150.2.3.1
python-solv-0.6.35-lp150.2.3.1
python-solv-debuginfo-0.6.35-lp150.2.3.1
python3-solv-0.6.35-lp150.2.3.1
python3-solv-debuginfo-0.6.35-lp150.2.3.1
ruby-solv-0.6.35-lp150.2.3.1
ruby-solv-debuginfo-0.6.35-lp150.2.3.1
zypper-1.14.10-lp150.2.3.1
zypper-debuginfo-1.14.10-lp150.2.3.1
zypper-debugsource-1.14.10-lp150.2.3.1

– openSUSE Leap 15.0 (noarch):

zypper-aptitude-1.14.10-lp150.2.3.1
zypper-log-1.14.10-lp150.2.3.1

References:

https://www.suse.com/security/cve/CVE-2017-9269.html
https://www.suse.com/security/cve/CVE-2018-7685.html
https://bugzilla.suse.com/1036304
https://bugzilla.suse.com/1041178
https://bugzilla.suse.com/1043166
https://bugzilla.suse.com/1045735
https://bugzilla.suse.com/1058515
https://bugzilla.suse.com/1066215
https://bugzilla.suse.com/1070770
https://bugzilla.suse.com/1070851
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1084525
https://bugzilla.suse.com/1088037
https://bugzilla.suse.com/1088705
https://bugzilla.suse.com/1091624
https://bugzilla.suse.com/1092413
https://bugzilla.suse.com/1093103
https://bugzilla.suse.com/1096217
https://bugzilla.suse.com/1096617
https://bugzilla.suse.com/1096803
https://bugzilla.suse.com/1099847
https://bugzilla.suse.com/1100028
https://bugzilla.suse.com/1100095
https://bugzilla.suse.com/1100427
https://bugzilla.suse.com/1101349
https://bugzilla.suse.com/1102019
https://bugzilla.suse.com/1102429
https://bugzilla.suse.com/408814
https://bugzilla.suse.com/428822
https://bugzilla.suse.com/907538


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org