SUSE-SU-2018:2690-1

Source
https://www.suse.com/support/update/announcement/2018/suse-su-20182690-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:2690-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:2690-1
Related
Published
2018-09-11T13:50:37Z
Modified
2018-09-11T13:50:37Z
Summary
Security update for libzypp, zypper
Details

This update for libzypp, zypper, libsolv provides the following fixes:

Security fixes in libzypp:

  • CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705)
  • CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)

Changes in libzypp:

  • Update to version 17.6.4
  • Automatically fetch repository signing key from gpgkey url (bsc#1088037)
  • lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
  • Check for not imported keys after multi key import from rpmdb (bsc#1096217)
  • Flags: make it std=c++14 ready
  • Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
  • Show GPGME version in log
  • Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427)
  • RepoInfo::provideKey: add report telling where we look for missing keys.
  • Support listing gpgkey URLs in repo files (bsc#1088037)
  • Add new report to request user approval for importing a package key
  • Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
  • Add filesize check for downloads with known size (bsc#408814)
  • Removed superfluous space in translation (bsc#1102019)
  • Prevent the system from sleeping during a commit
  • RepoManager: Explicitly request repo2solv to generate application pseudo packages.
  • libzypp-devel should not require cmake (bsc#1101349)
  • Avoid zombies from ExternalProgram
  • Update ApiConfig
  • HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803)
  • lsof: use '-K i' if lsof supports it (bsc#1099847)
  • Add filesize check for downloads with known size (bsc#408814)
  • Fix detection of metalink downloads and prevent aborting if a metalink file is larger than the expected data file.
  • Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
  • Make use of %license macro (bsc#1082318)

Security fix in zypper:

  • CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

Changes in zypper:

  • Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103)
  • Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217)
  • Detect read only filesystem on system modifying operations (fixes #199)
  • Use %license (bsc#1082318)
  • Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178)
  • Fix broken display of detailed query results.
  • Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770)
  • Disable repository operations when searching installed packages. (bsc#1084525)
  • Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
  • ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413)
  • Fix some translation errors.
  • Support listing gpgkey URLs in repo files (bsc#1088037)
  • Check for root privileges in zypper verify and si (bsc#1058515)
  • XML <install-summary> attribute packages-to-change added (bsc#1102429)
  • Add expert (allow-*) options to all installer commands (bsc#428822)
  • Sort search results by multiple columns (bsc#1066215)
  • man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
  • Set error status if repositories passed to lr and ref are not known (bsc#1093103)
  • Do not override table style in search
  • Fix out of bound read in MbsIterator
  • Add --supplements switch to search and info
  • Add setter functions for zypp cache related config values to ZConfig

Changes in libsolv:

  • convert repo2solv.sh script into a binary tool
  • Make use of %license macro (bsc#1082318)
References

Affected packages

SUSE:Linux Enterprise Module for Basesystem 15 / libsolv

Package

Name
libsolv
Purl
pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.35-3.5.2

Ecosystem specific

{
    "binaries": [
        {
            "zypper": "1.14.10-3.7.1",
            "libzypp": "17.6.4-3.10.1",
            "python-solv": "0.6.35-3.5.2",
            "libsolv-devel": "0.6.35-3.5.2",
            "zypper-log": "1.14.10-3.7.1",
            "libsolv-tools": "0.6.35-3.5.2",
            "libzypp-devel": "17.6.4-3.10.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Basesystem 15 / libzypp

Package

Name
libzypp
Purl
pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
17.6.4-3.10.1

Ecosystem specific

{
    "binaries": [
        {
            "zypper": "1.14.10-3.7.1",
            "libzypp": "17.6.4-3.10.1",
            "python-solv": "0.6.35-3.5.2",
            "libsolv-devel": "0.6.35-3.5.2",
            "zypper-log": "1.14.10-3.7.1",
            "libsolv-tools": "0.6.35-3.5.2",
            "libzypp-devel": "17.6.4-3.10.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Basesystem 15 / zypper

Package

Name
zypper
Purl
pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.14.10-3.7.1

Ecosystem specific

{
    "binaries": [
        {
            "zypper": "1.14.10-3.7.1",
            "libzypp": "17.6.4-3.10.1",
            "python-solv": "0.6.35-3.5.2",
            "libsolv-devel": "0.6.35-3.5.2",
            "zypper-log": "1.14.10-3.7.1",
            "libsolv-tools": "0.6.35-3.5.2",
            "libzypp-devel": "17.6.4-3.10.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Development Tools 15 / libsolv

Package

Name
libsolv
Purl
pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.6.35-3.5.2

Ecosystem specific

{
    "binaries": [
        {
            "python3-solv": "0.6.35-3.5.2",
            "ruby-solv": "0.6.35-3.5.2",
            "perl-solv": "0.6.35-3.5.2"
        }
    ]
}