Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 521
Alerts This Week
Warning Icon 1 521

openSUSE: 2018:2739-1 Critical Updates for Libzypp and Zypper Fixes

opensuse
Calendar Grey September 17, 2018
Dist Opensuse Esm H88
Debian Security Patch for apt and dpkg resolves urgent vulnerabilities with multiple enhancements.
An update that solves two vulnerabilities and has 26 fixes is now available.

Description

This update for libzypp, zypper, libsolv provides the following fixes:

Security fixes in libzypp:

- CVE-2018-7685: PackageProvider: Validate RPMs before caching

(bsc#1091624, bsc#1088705)

- CVE-2017-9269: Be sure bad packages do not stay in the cache

(bsc#1045735)

Changes in libzypp:

- Update to version 17.6.4

- Automatically fetch repository signing key from gpgkey url (bsc#1088037)

- lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)

- Check for not imported keys after multi key import from rpmdb

(bsc#1096217)

- Flags: make it std=c++14 ready

- Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)

- Show GPGME version in log

- Adapt to changes in libgpgme11-11.1.0 breaking the signature

verification (bsc#1100427)

- RepoInfo::provideKey: add report telling where we look for missing keys.

- Support listing gpgkey URLs in repo files (bsc#1088037)

- Add new report to request user approval for...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1017=1

Package List

- openSUSE Leap 15.0 (x86_64):

libsolv-debuginfo-0.6.35-lp150.2.3.1

libsolv-debugsource-0.6.35-lp150.2.3.1

libsolv-demo-0.6.35-lp150.2.3.1

libsolv-demo-debuginfo-0.6.35-lp150.2.3.1

libsolv-devel-0.6.35-lp150.2.3.1

libsolv-devel-debuginfo-0.6.35-lp150.2.3.1

libsolv-tools-0.6.35-lp150.2.3.1

libsolv-tools-debuginfo-0.6.35-lp150.2.3.1

libzypp-17.6.4-lp150.2.3.1

libzypp-debuginfo-17.6.4-lp150.2.3.1

libzypp-debugsource-17.6.4-lp150.2.3.1

libzypp-devel-17.6.4-lp150.2.3.1

libzypp-devel-doc-17.6.4-lp150.2.3.1

perl-solv-0.6.35-lp150.2.3.1

perl-solv-debuginfo-0.6.35-lp150.2.3.1

python-solv-0.6.35-lp150.2.3.1

python-solv-debuginfo-0.6.35-lp150.2.3.1

python3-solv-0.6.35-lp150.2.3.1

python3-solv-debuginfo-0.6.35-lp150.2.3.1

ruby-solv-0.6.35-lp150.2.3.1

ruby-solv-debuginfo-0.6.35-lp150.2.3.1

zypper-1.14.10-lp150.2.3.1

zypper-debuginfo-1.14.10-lp150.2.3.1

zypper-debugsource-1.14.10-lp150.2.3.1

- openSUSE Leap 15.0 (noarch):

zypper-aptitude-1.14.10-lp150.2.3.1

zypper-log-1.14.10-lp150.2.3.1

References

https://www.suse.com/security/cve/CVE-2017-9269.html

https://www.suse.com/security/cve/CVE-2018-7685.html

https://bugzilla.suse.com/1036304

https://bugzilla.suse.com/1041178

https://bugzilla.suse.com/1043166

https://bugzilla.suse.com/1045735

https://bugzilla.suse.com/1058515

https://bugzilla.suse.com/1066215

https://bugzilla.suse.com/1070770

https://bugzilla.suse.com/1070851

https://bugzilla.suse.com/1082318

https://bugzilla.suse.com/1084525

https://bugzilla.suse.com/1088037

https://bugzilla.suse.com/1088705

https://bugzilla.suse.com/1091624

https://bugzilla.suse.com/1092413

https://bugzilla.suse.com/1093103

https://bugzilla.suse.com/1096217

https://bugzilla.suse.com/1096617

https://bugzilla.suse.com/1096803

https://bugzilla.suse.com/1099847

https://bugzilla.suse.com/1100028

https://bugzilla.suse.com/1100095

https://bugzilla.suse.com/1100427

https://bugzilla.suse.com/1101349

https://bugzilla.suse.com/1102019

https://bugzilla.suse.com/1102429

https://bugzilla.suse.com/408814

https://bugzilla.suse.com/428822

https:/...

Read the Full Advisory

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2018:2739-1
Rating: important
Affected Products: openSUSE Leap 15.0 le.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.