drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in libzypp und zypper
Name: |
Zwei Probleme in libzypp und zypper |
|
ID: |
openSUSE-SU-2018:2739-1 |
|
Distribution: |
SUSE |
|
Plattformen: |
openSUSE Leap 15.0 |
|
Datum: |
Di, 18. September 2018, 07:25 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7685 |
|
Applikationen: |
Zypper, Zypper |
|
Originalnachricht |
openSUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________
Announcement ID: openSUSE-SU-2018:2739-1 Rating: important References: #1036304 #1041178 #1043166 #1045735 #1058515 #1066215 #1070770 #1070851 #1082318 #1084525 #1088037 #1088705 #1091624 #1092413 #1093103 #1096217 #1096617 #1096803 #1099847 #1100028 #1100095 #1100427 #1101349 #1102019 #1102429 #408814 #428822 #907538 Cross-References: CVE-2017-9269 CVE-2018-7685 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________
An update that solves two vulnerabilities and has 26 fixes is now available.
Description:
This update for libzypp, zypper, libsolv provides the following fixes:
Security fixes in libzypp:
- CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705) - CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)
Changes in libzypp:
- Update to version 17.6.4 - Automatically fetch repository signing key from gpgkey url (bsc#1088037) - lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304) - Check for not imported keys after multi key import from rpmdb (bsc#1096217) - Flags: make it std=c++14 ready - Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617) - Show GPGME version in log - Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427) - RepoInfo::provideKey: add report telling where we look for missing keys. - Support listing gpgkey URLs in repo files (bsc#1088037) - Add new report to request user approval for importing a package key - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - Add filesize check for downloads with known size (bsc#408814) - Removed superfluous space in translation (bsc#1102019) - Prevent the system from sleeping during a commit - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - Avoid zombies from ExternalProgram - Update ApiConfig - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - lsof: use '-K i' if lsof supports it (bsc#1099847) - Add filesize check for downloads with known size (bsc#408814) - Fix detection of metalink downloads and prevent aborting if a metalink file is larger than the expected data file. - Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095) - Make use of %license macro (bsc#1082318)
Security fix in zypper:
- CVE-2017-9269: Improve signature check callback messages (bsc#1045735)
Changes in zypper:
- Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103) - Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217) - Detect read only filesystem on system modifying operations (fixes #199) - Use %license (bsc#1082318) - Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178) - Fix broken display of detailed query results. - Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770) - Disable repository operations when searching installed packages. (bsc#1084525) - Prevent nested calls to exit() if aborted by a signal. (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413) - Fix some translation errors. - Support listing gpgkey URLs in repo files (bsc#1088037) - Check for root privileges in zypper verify and si (bsc#1058515) - XML <install-summary> attribute `packages-to-change` added (bsc#1102429) - Add expert (allow-*) options to all installer commands (bsc#428822) - Sort search results by multiple columns (bsc#1066215) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Set error status if repositories passed to lr and ref are not known (bsc#1093103) - Do not override table style in search - Fix out of bound read in MbsIterator - Add --supplements switch to search and info - Add setter functions for zypp cache related config values to ZConfig
Changes in libsolv:
- convert repo2solv.sh script into a binary tool - Make use of %license macro (bsc#1082318)
This update was imported from the SUSE:SLE-15:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.0:
zypper in -t patch openSUSE-2018-1017=1
Package List:
- openSUSE Leap 15.0 (x86_64):
libsolv-debuginfo-0.6.35-lp150.2.3.1 libsolv-debugsource-0.6.35-lp150.2.3.1 libsolv-demo-0.6.35-lp150.2.3.1 libsolv-demo-debuginfo-0.6.35-lp150.2.3.1 libsolv-devel-0.6.35-lp150.2.3.1 libsolv-devel-debuginfo-0.6.35-lp150.2.3.1 libsolv-tools-0.6.35-lp150.2.3.1 libsolv-tools-debuginfo-0.6.35-lp150.2.3.1 libzypp-17.6.4-lp150.2.3.1 libzypp-debuginfo-17.6.4-lp150.2.3.1 libzypp-debugsource-17.6.4-lp150.2.3.1 libzypp-devel-17.6.4-lp150.2.3.1 libzypp-devel-doc-17.6.4-lp150.2.3.1 perl-solv-0.6.35-lp150.2.3.1 perl-solv-debuginfo-0.6.35-lp150.2.3.1 python-solv-0.6.35-lp150.2.3.1 python-solv-debuginfo-0.6.35-lp150.2.3.1 python3-solv-0.6.35-lp150.2.3.1 python3-solv-debuginfo-0.6.35-lp150.2.3.1 ruby-solv-0.6.35-lp150.2.3.1 ruby-solv-debuginfo-0.6.35-lp150.2.3.1 zypper-1.14.10-lp150.2.3.1 zypper-debuginfo-1.14.10-lp150.2.3.1 zypper-debugsource-1.14.10-lp150.2.3.1
- openSUSE Leap 15.0 (noarch):
zypper-aptitude-1.14.10-lp150.2.3.1 zypper-log-1.14.10-lp150.2.3.1
References:
https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1041178 https://bugzilla.suse.com/1043166 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1058515 https://bugzilla.suse.com/1066215 https://bugzilla.suse.com/1070770 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1084525 https://bugzilla.suse.com/1088037 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1093103 https://bugzilla.suse.com/1096217 https://bugzilla.suse.com/1096617 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1100095 https://bugzilla.suse.com/1100427 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102019 https://bugzilla.suse.com/1102429 https://bugzilla.suse.com/408814 https://bugzilla.suse.com/428822 https://bugzilla.suse.com/907538
-- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
|
|
|
|