Security update for libzypp, zypper (important)

2018-09-17T12:07:59
ID OPENSUSE-SU-2018:2739-1
Type suse
Reporter Suse
Modified 2018-09-17T12:07:59

Description

This update for libzypp, zypper, libsolv provides the following fixes:

Security fixes in libzypp:

  • CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705)
  • CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)

Changes in libzypp:

  • Update to version 17.6.4
  • Automatically fetch repository signing key from gpgkey url (bsc#1088037)
  • lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
  • Check for not imported keys after multi key import from rpmdb (bsc#1096217)
  • Flags: make it std=c++14 ready
  • Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
  • Show GPGME version in log
  • Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427)
  • RepoInfo::provideKey: add report telling where we look for missing keys.
  • Support listing gpgkey URLs in repo files (bsc#1088037)
  • Add new report to request user approval for importing a package key
  • Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
  • Add filesize check for downloads with known size (bsc#408814)
  • Removed superfluous space in translation (bsc#1102019)
  • Prevent the system from sleeping during a commit
  • RepoManager: Explicitly request repo2solv to generate application pseudo packages.
  • libzypp-devel should not require cmake (bsc#1101349)
  • Avoid zombies from ExternalProgram
  • Update ApiConfig
  • HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803)
  • lsof: use '-K i' if lsof supports it (bsc#1099847)
  • Add filesize check for downloads with known size (bsc#408814)
  • Fix detection of metalink downloads and prevent aborting if a metalink file is larger than the expected data file.
  • Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
  • Make use of %license macro (bsc#1082318)

Security fix in zypper:

  • CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

Changes in zypper:

  • Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103)
  • Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217)
  • Detect read only filesystem on system modifying operations (fixes #199)
  • Use %license (bsc#1082318)
  • Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178)
  • Fix broken display of detailed query results.
  • Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770)
  • Disable repository operations when searching installed packages. (bsc#1084525)
  • Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
  • ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413)
  • Fix some translation errors.
  • Support listing gpgkey URLs in repo files (bsc#1088037)
  • Check for root privileges in zypper verify and si (bsc#1058515)
  • XML <install-summary> attribute packages-to-change added (bsc#1102429)
  • Add expert (allow-*) options to all installer commands (bsc#428822)
  • Sort search results by multiple columns (bsc#1066215)
  • man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
  • Set error status if repositories passed to lr and ref are not known (bsc#1093103)
  • Do not override table style in search
  • Fix out of bound read in MbsIterator
  • Add --supplements switch to search and info
  • Add setter functions for zypp cache related config values to ZConfig

Changes in libsolv:

  • convert repo2solv.sh script into a binary tool
  • Make use of %license macro (bsc#1082318)

This update was imported from the SUSE:SLE-15:Update update project.