openSUSE: 2018:2739-1: important: libzypp, zypper
Description
This update for libzypp, zypper, libsolv provides the following fixes:
Security fixes in libzypp:
- CVE-2018-7685: PackageProvider: Validate RPMs before caching
(bsc#1091624, bsc#1088705)
- CVE-2017-9269: Be sure bad packages do not stay in the cache
(bsc#1045735)
Changes in libzypp:
- Update to version 17.6.4
- Automatically fetch repository signing key from gpgkey url (bsc#1088037)
- lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
- Check for not imported keys after multi key import from rpmdb
(bsc#1096217)
- Flags: make it std=c++14 ready
- Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
- Show GPGME version in log
- Adapt to changes in libgpgme11-11.1.0 breaking the signature
verification (bsc#1100427)
- RepoInfo::provideKey: add report telling where we look for missing keys.
- Support listing gpgkey URLs in repo files (bsc#1088037)
- Add new report to request user approval for importing a package key
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- Add filesize check for downloads with known size (bsc#408814)
- Removed superfluous space in translation (bsc#1102019)
- Prevent the system from sleeping during a commit
- RepoManager: Explicitly request repo2solv to generate application pseudo
packages.
- libzypp-devel should not require cmake (bsc#1101349)
- Avoid zombies from ExternalProgram
- Update ApiConfig
- HardLocksFile: Prevent against empty commit without Target having been
been loaded (bsc#1096803)
- lsof: use '-K i' if lsof supports it (bsc#1099847)
- Add filesize check for downloads with known size (bsc#408814)
- Fix detection of metalink downloads and prevent aborting if a metalink
file is larger than the expected data file.
- Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
- Make use of %license macro (bsc#1082318)
Security fix in zypper:
- CVE-2017-9269: Improve signature check callback messages (bsc#1045735)
Changes in zypper:
- Always set error status if any nr of unknown repositories are passed to
lr and ref (bsc#1093103)
- Notify user about unsupported rpm V3 keys in an old rpm database
(bsc#1096217)
- Detect read only filesystem on system modifying operations (fixes #199)
- Use %license (bsc#1082318)
- Handle repo aliases containing multiple ':' in the PackageArgs parser
(bsc #1041178)
- Fix broken display of detailed query results.
- Fix broken search for items with a dash. (bsc#907538, bsc#1043166,
bsc#1070770)
- Disable repository operations when searching installed packages.
(bsc#1084525)
- Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope.
(bsc#1092413)
- Fix some translation errors.
- Support listing gpgkey URLs in repo files (bsc#1088037)
- Check for root privileges in zypper verify and si (bsc#1058515)
- XML
Patch
Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-1017=1
Package List
- openSUSE Leap 15.0 (x86_64): libsolv-debuginfo-0.6.35-lp150.2.3.1 libsolv-debugsource-0.6.35-lp150.2.3.1 libsolv-demo-0.6.35-lp150.2.3.1 libsolv-demo-debuginfo-0.6.35-lp150.2.3.1 libsolv-devel-0.6.35-lp150.2.3.1 libsolv-devel-debuginfo-0.6.35-lp150.2.3.1 libsolv-tools-0.6.35-lp150.2.3.1 libsolv-tools-debuginfo-0.6.35-lp150.2.3.1 libzypp-17.6.4-lp150.2.3.1 libzypp-debuginfo-17.6.4-lp150.2.3.1 libzypp-debugsource-17.6.4-lp150.2.3.1 libzypp-devel-17.6.4-lp150.2.3.1 libzypp-devel-doc-17.6.4-lp150.2.3.1 perl-solv-0.6.35-lp150.2.3.1 perl-solv-debuginfo-0.6.35-lp150.2.3.1 python-solv-0.6.35-lp150.2.3.1 python-solv-debuginfo-0.6.35-lp150.2.3.1 python3-solv-0.6.35-lp150.2.3.1 python3-solv-debuginfo-0.6.35-lp150.2.3.1 ruby-solv-0.6.35-lp150.2.3.1 ruby-solv-debuginfo-0.6.35-lp150.2.3.1 zypper-1.14.10-lp150.2.3.1 zypper-debuginfo-1.14.10-lp150.2.3.1 zypper-debugsource-1.14.10-lp150.2.3.1 - openSUSE Leap 15.0 (noarch): zypper-aptitude-1.14.10-lp150.2.3.1 zypper-log-1.14.10-lp150.2.3.1
References
https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1041178 https://bugzilla.suse.com/1043166 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1058515 https://bugzilla.suse.com/1066215 https://bugzilla.suse.com/1070770 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1084525 https://bugzilla.suse.com/1088037 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1093103 https://bugzilla.suse.com/1096217 https://bugzilla.suse.com/1096617 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1100095 https://bugzilla.suse.com/1100427 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102019 https://bugzilla.suse.com/1102429 https://bugzilla.suse.com/408814 https://bugzilla.suse.com/428822 https://bugzilla.suse.com/907538--