SUSE-SU-2018:2690-1: important: Security update for libzypp, zypper

[sle-security-updates at lists.suse.com]

   SUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2690-1
Rating:             important
References:         #1036304 #1041178 #1043166 #1045735 #1058515 
                    #1066215 #1070770 #1070851 #1082318 #1084525 
                    #1088037 #1088705 #1091624 #1092413 #1093103 
                    #1096217 #1096617 #1096803 #1099847 #1100028 
                    #1100095 #1100427 #1101349 #1102019 #1102429 
                    #408814 #428822 #907538 
Cross-References:   CVE-2017-9269 CVE-2018-7685
Affected Products:
                    SUSE Linux Enterprise Module for Development Tools 15
                    SUSE Linux Enterprise Module for Basesystem 15
______________________________________________________________________________

   An update that solves two vulnerabilities and has 26 fixes
   is now available.

Description:

   This update for libzypp, zypper, libsolv provides the following fixes:

   Security fixes in libzypp:

   - CVE-2018-7685: PackageProvider: Validate RPMs before caching
     (bsc#1091624, bsc#1088705)
   - CVE-2017-9269: Be sure bad packages do not stay in the cache
     (bsc#1045735)

   Changes in libzypp:

   - Update to version 17.6.4
   - Automatically fetch repository signing key from gpgkey url (bsc#1088037)
   - lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
   - Check for not imported keys after multi key import from rpmdb
     (bsc#1096217)
   - Flags: make it std=c++14 ready
   - Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
   - Show GPGME version in log
   - Adapt to changes in libgpgme11-11.1.0 breaking the signature
     verification (bsc#1100427)
   - RepoInfo::provideKey: add report telling where we look for missing keys.
   - Support listing gpgkey URLs in repo files (bsc#1088037)
   - Add new report to request user approval for importing a package key
   - Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
   - Add filesize check for downloads with known size (bsc#408814)
   - Removed superfluous space in translation (bsc#1102019)
   - Prevent the system from sleeping during a commit
   - RepoManager: Explicitly request repo2solv to generate application pseudo
     packages.
   - libzypp-devel should not require cmake (bsc#1101349)
   - Avoid zombies from ExternalProgram
   - Update ApiConfig
   - HardLocksFile: Prevent against empty commit without Target having been
     been loaded (bsc#1096803)
   - lsof: use '-K i' if lsof supports it (bsc#1099847)
   - Add filesize check for downloads with known size (bsc#408814)
   - Fix detection of metalink downloads and prevent aborting if a metalink
     file is larger than the expected data file.
   - Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
   - Make use of %license macro (bsc#1082318)

   Security fix in zypper:

   - CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

   Changes in zypper:

   - Always set error status if any nr of unknown repositories are passed to
     lr and ref (bsc#1093103)
   - Notify user about unsupported rpm V3 keys in an old rpm database
     (bsc#1096217)
   - Detect read only filesystem on system modifying operations (fixes #199)
   - Use %license (bsc#1082318)
   - Handle repo aliases containing multiple ':' in the PackageArgs parser
     (bsc #1041178)
   - Fix broken display of detailed query results.
   - Fix broken search for items with a dash. (bsc#907538, bsc#1043166,
     bsc#1070770)
   - Disable repository operations when searching installed packages.
     (bsc#1084525)
   - Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
   - ansi.h: Prevent ESC sequence strings from going out of scope.
     (bsc#1092413)
   - Fix some translation errors.
   - Support listing gpgkey URLs in repo files (bsc#1088037)
   - Check for root privileges in zypper verify and si (bsc#1058515)
   - XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
   - Add expert (allow-*) options to all installer commands (bsc#428822)
   - Sort search results by multiple columns (bsc#1066215)
   - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf
     (bsc#1100028)
   - Set error status if repositories passed to lr and ref are not known
     (bsc#1093103)
   - Do not override table style in search
   - Fix out of bound read in MbsIterator
   - Add --supplements switch to search and info
   - Add setter functions for zypp cache related config values to ZConfig

   Changes in libsolv:

   - convert repo2solv.sh script into a binary tool
   - Make use of %license macro (bsc#1082318)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Development Tools 15:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1883=1

   - SUSE Linux Enterprise Module for Basesystem 15:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1883=1



Package List:

   - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64):

      libsolv-debuginfo-0.6.35-3.5.2
      libsolv-debugsource-0.6.35-3.5.2
      perl-solv-0.6.35-3.5.2
      perl-solv-debuginfo-0.6.35-3.5.2
      python3-solv-0.6.35-3.5.2
      python3-solv-debuginfo-0.6.35-3.5.2
      ruby-solv-0.6.35-3.5.2
      ruby-solv-debuginfo-0.6.35-3.5.2

   - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64):

      libsolv-debuginfo-0.6.35-3.5.2
      libsolv-debugsource-0.6.35-3.5.2
      libsolv-devel-0.6.35-3.5.2
      libsolv-devel-debuginfo-0.6.35-3.5.2
      libsolv-tools-0.6.35-3.5.2
      libsolv-tools-debuginfo-0.6.35-3.5.2
      libzypp-17.6.4-3.10.1
      libzypp-debuginfo-17.6.4-3.10.1
      libzypp-debugsource-17.6.4-3.10.1
      libzypp-devel-17.6.4-3.10.1
      python-solv-0.6.35-3.5.2
      python-solv-debuginfo-0.6.35-3.5.2
      zypper-1.14.10-3.7.1
      zypper-debuginfo-1.14.10-3.7.1
      zypper-debugsource-1.14.10-3.7.1

   - SUSE Linux Enterprise Module for Basesystem 15 (noarch):

      zypper-log-1.14.10-3.7.1


References:

   https://www.suse.com/security/cve/CVE-2017-9269.html
   https://www.suse.com/security/cve/CVE-2018-7685.html
   https://bugzilla.suse.com/1036304
   https://bugzilla.suse.com/1041178
   https://bugzilla.suse.com/1043166
   https://bugzilla.suse.com/1045735
   https://bugzilla.suse.com/1058515
   https://bugzilla.suse.com/1066215
   https://bugzilla.suse.com/1070770
   https://bugzilla.suse.com/1070851
   https://bugzilla.suse.com/1082318
   https://bugzilla.suse.com/1084525
   https://bugzilla.suse.com/1088037
   https://bugzilla.suse.com/1088705
   https://bugzilla.suse.com/1091624
   https://bugzilla.suse.com/1092413
   https://bugzilla.suse.com/1093103
   https://bugzilla.suse.com/1096217
   https://bugzilla.suse.com/1096617
   https://bugzilla.suse.com/1096803
   https://bugzilla.suse.com/1099847
   https://bugzilla.suse.com/1100028
   https://bugzilla.suse.com/1100095
   https://bugzilla.suse.com/1100427
   https://bugzilla.suse.com/1101349
   https://bugzilla.suse.com/1102019
   https://bugzilla.suse.com/1102429
   https://bugzilla.suse.com/408814
   https://bugzilla.suse.com/428822
   https://bugzilla.suse.com/907538