Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 488
Alerts This Week
Warning Icon 1 488

openSUSE Leap 42.3: 2018:2881-1 Important: Libzypp Zypper Security Fix

opensuse
Calendar Grey September 26, 2018
Dist Opensuse Esm H88
A significant openSUSE notification regarding vulnerabilities in libzypp and zypper, including 11 other corrections.
An update that solves one vulnerability and has 11 fixes is now available.

Description

This update for libzypp, zypper fixes the following issues:

Update libzypp to version 16.17.20:

Security issues fixed:

- PackageProvider: Validate delta rpms before caching (bsc#1091624,

bsc#1088705, CVE-2018-7685)

- PackageProvider: Validate downloaded rpm package signatures before

caching (bsc#1091624, bsc#1088705, CVE-2018-7685)

Other bugs fixed:

- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)

- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)

- RepoManager: Explicitly request repo2solv to generate application pseudo

packages.

- libzypp-devel should not require cmake (bsc#1101349)

- HardLocksFile: Prevent against empty commit without Target having been

been loaded (bsc#1096803)

- Avoid zombie tar processes (bsc#1076192)

Update to zypper to version 1.13.45:

Other bugs fixed:

- XML attribute `packages-to-change` added (bsc#1102429)

- man: Strengthen that `--config FILE'...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-1054=1

Package List

- openSUSE Leap 42.3 (i586 x86_64):

libzypp-16.17.20-27.1

libzypp-debuginfo-16.17.20-27.1

libzypp-debugsource-16.17.20-27.1

libzypp-devel-16.17.20-27.1

libzypp-devel-doc-16.17.20-27.1

zypper-1.13.45-20.1

zypper-debuginfo-1.13.45-20.1

zypper-debugsource-1.13.45-20.1

- openSUSE Leap 42.3 (noarch):

zypper-aptitude-1.13.45-20.1

zypper-log-1.13.45-20.1

References

https://www.suse.com/security/cve/CVE-2018-7685.html

https://bugzilla.suse.com/show_bug.cgi?id=1036304

https://bugzilla.suse.com/show_bug.cgi?id=1049825

https://bugzilla.suse.com/show_bug.cgi?id=1070851

https://bugzilla.suse.com/show_bug.cgi?id=1076192

https://bugzilla.suse.com/show_bug.cgi?id=1088705

https://bugzilla.suse.com/show_bug.cgi?id=1091624

https://bugzilla.suse.com/show_bug.cgi?id=1092413

https://bugzilla.suse.com/show_bug.cgi?id=1096803

https://bugzilla.suse.com/show_bug.cgi?id=1099847

https://bugzilla.suse.com/show_bug.cgi?id=1100028

https://bugzilla.suse.com/show_bug.cgi?id=1101349

https://bugzilla.suse.com/show_bug.cgi?id=1102429

--

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2018:2881-1
Rating: important
Affected Products: openSUSE Leap 42.3 le.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.