openSUSE Security Update: Security update for libdnf
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:2685-1
Rating:             moderate
References:         #1183779 
Cross-References:   CVE-2021-20271 CVE-2021-3421 CVE-2021-3445
                   
CVSS scores:
                    CVE-2021-20271 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-20271 (SUSE): 3.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
                    CVE-2021-3421 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
                    CVE-2021-3421 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
                    CVE-2021-3445 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-3445 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.3
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for libdnf fixes the following issues:

   - Fixed crash when loading DVD repositories

   Update to 0.62.0

   + Change order of TransactionItemReason (rh#1921063)
   + Add two new comperators for security filters (rh#1918475)
   + Apply security filters for candidates with lower priority
   + Fix: Goal - translation of messages in global maps
   + Enhance description of modular solvables
   + Improve performance for module query
   + Change mechanism of modular errata applicability (rh#1804234)
   + dnf_transaction_commit(): Remove second call to rpmtsSetVSFlags
   + Fix a couple of memory leaks
   + Fix: Setting of librepo handle in newHandle function
   + Remove failsafe data when module is not enabled (rh#1847035)
   + Expose librepo's checksum functions via SWIG
   + Fix: Mising check of "hy_split_nevra()" return code
   + Do not allow 1 as installonly_limit value (rh#1926261)
   + Fix check whether the subkey can be used for signing
   + Hardening: add signature check with rpmcliVerifySignatures
     (CVE-2021-3445, CVE-2021-3421, CVE-2021-20271, rh#1932079, rh#1932089,
     rh#1932090, bsc#1183779)
   + Add a config option sslverifystatus, defaults to false (rh#1814383)
   + [context] Add API for distro-sync

   - Fix dependency for repo-config-zypp subpackage to work with SLE

   Update to 0.60.0

   + Fix repo.fresh() implementation
   + Fix: Fully set ssl in newHandle function
   + [conf] Add options for working with certificates used with proxy
   + Apply proxy certificate options
   + lock: Switch return-if-fail to assert to quiet gcc -fanalyzer
   + build-sys: Clean up message about Python bindings
   + Modify module NSVCA parsing - context definition (rh#1926771)
   + [context] Fix: dnf_package_is_installonly (rh#1928056)
   + Fix problematic language
   + Add getApplicablePackages to advisory and isApplicable to advisorymodule
   + Keep isAdvisoryApplicable to preserve API
   + Run ModulePackageContainerTest tests in tmpdir, merge interdependent
   + [context] Support config file option "proxy_auth_method", defaults "any"
   + Properly handle multiple collections in updateinfo.xml (rh#1804234)
   + Support main config file option "installonlypkgs"
   + Support main config file option "protected_packages"

   - Add repo-config-zypp subpackage to allow easily using Zypper repository
     configuration

   - Backport support for using certificates for repository authorization
   - Backport another fix for adding controls to installonlypkgs
   - Add patch to move directory for dnf state data to /usr/lib/sysimage
   - Backport fixes to add controls for installonlypkgs and protected_packages

   Update to version 0.58.0

   + Option: Add reset() method
   + Add OptionBinds::getOption() method
   + [context] Add dnf_repo_conf_from_gkeyfile() and dnf_repo_conf_reset()
   + [context] Add support for options: minrate, throttle, bandwidth, timeout
   + [context] Remove g_key_file_get_string() from dnf_repo_set_keyfile_data()
   + Allow loading ext metadata even if only cache (solv) is present
   + Add ASAN_OPTIONS for test_libdnf_main
   + [context,API] Functions for accessing main/global configuration options
   + [context,API] Function for adding setopt
   + Add getter for modular obsoletes from ModuleMetadata
   + Add ModulePackage.getStaticContext() and getRequires()
   + Add compatible layer for MdDocuments v2
   + Fix modular queries with the new solver
   + Improve formatting of error string for modules
   + Change mechanism of module conflicts
   + Fix load/update FailSafe

   Update to version 0.55.2

   + Improve performance of query installed() and available()
   + Swdb: Add a method to get the current transaction
   + [modules] Add special handling for src artifacts (rh#1809314)
   + Better msgs if "basecachedir" or "proxy_password" isn't set (rh#1888946)
   + Add new options module_stream_switch
   + Support allow_vendor_change setting in dnf context API

   Update to version 0.55.0

   + Add vendor to dnf API (rh#1876561)
   + Add formatting function for solver error
   + Add error types in ModulePackageContainer
   + Implement module enable for context part
   + Improve string formatting for translation
   + Remove redundant printf and change logging info to notice (rh#1827424)
   + Add allow_vendor_change option (rh#1788371) (rh#1788371)

   Update to version 0.54.2

   + history: Fix dnf history rollback when a package was removed (rh#1683134)
   + Add support for HY_GT, HY_LT in query nevra_strict
   + Fix parsing empty lines in config files
   + Accept '==' as an operator in reldeps (rh#1847946)
   + Add log file level main config option (rh#1802074)
   + Add protect_running_kernel configuration option (rh#1698145)
   + Context part of libdnf cannot assume zchunk is on (rh#1851841,
     rh#1779104)
   + Fix memory leak of resultingModuleIndex and handle g_object refs
   + Redirect librepo logs to libdnf logs with different source
   + Add hy_goal_lock
   + Enum/String conversions for Transaction Store/Replay
   + utils: Add a method to decode URLs
   + Unify hawkey.log line format with the rest of the logs

   Update to version 0.48.0

   + Add prereq_ignoreinst & regular_requires properties for pkg (rh#1543449)
   + Reset active modules when no module enabled or default (rh#1767351)
   + Add comment option to transaction (rh#1773679)
   + Failing to get module defauls is a recoverable error
   + Baseurl is not exclusive with mirrorlist/metalink (rh#1775184)
   + Add new function to reset all modules in C API
     (dnf_context_reset_all_modules)
   + [context] Fix to preserve additionalMetadata content (rh#1808677)
   + Fix filtering of DepSolvables with source rpms (rh#1812596)
   + Add setter for running kernel protection setting
   + Handle situation when an unprivileged user cannot create history
     database (rh#1634385)
   + Add query filter: latest by priority
   + Add DNF_NO_PROTECTED flag to allow empty list of protected packages
   + Remove 'dim' option from terminal colors to make them more readable
     (rh#1807774, rh#1814563)
   + [context] Error when main config file can't be opened (rh#1794864)
   + [context] Add function function dnf_context_is_set_config_file_path
   + swdb: Catch only SQLite3 exceptions and simplify the messages
   + MergedTransaction list multiple comments (rh#1773679)
   + Modify CMake to pull *.po files from weblate
   + Optimize DependencyContainer creation from an existing queue
   + fix a memory leak in dnf_package_get_requires()
   + Fix memory leaks on g_build_filename()
   + Fix memory leak in dnf_context_setup()
   + Add `hy_goal_favor` and `hy_goal_disfavor`
   + Define a cleanup function for `DnfPackageSet`
   + dnf-repo: fix dnf_repo_get_public_keys double-free
   + Do not cache RPMDB
   + Use single-quotes around string literals used in SQL statements
   + SQLite3: Do not close the database if it wasn't opened (rh#1761976)
   + Don't create a new history DB connection for in-memory DB
   + transaction/Swdb: Use a single logger variable in constructor
   + utils: Add a safe version of pathExists()
   + swdb: Handle the case when pathExists() fails on e.g. permission
   + Repo: prepend "file://" if a local path is used as baseurl
   + Move urlEncode() to utils
   + utils: Add 'exclude' argument to urlEncode()
   + Encode package URL for downloading through librepo (rh#1817130)
   + Replace std::runtime_error with libdnf::RepoError
   + Fixes and error handling improvements of the File class
   + [context] Use ConfigRepo for gpgkey and baseurl (rh#1807864)
   + [context] support "priority" option in .repo config file (rh#1797265)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2021-2685=1



Package List:

   - openSUSE Leap 15.3 (aarch64 i586 ppc64le s390x x86_64):

      libdnf-debuginfo-0.62.0-5.3.1
      libdnf-debugsource-0.62.0-5.3.1
      libdnf-devel-0.62.0-5.3.1
      libdnf-repo-config-zypp-0.62.0-5.3.1
      libdnf2-0.62.0-5.3.1
      libdnf2-debuginfo-0.62.0-5.3.1
      python3-hawkey-0.62.0-5.3.1
      python3-hawkey-debuginfo-0.62.0-5.3.1
      python3-libdnf-0.62.0-5.3.1
      python3-libdnf-debuginfo-0.62.0-5.3.1

   - openSUSE Leap 15.3 (noarch):

      hawkey-man-0.62.0-5.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-20271.html
   https://www.suse.com/security/cve/CVE-2021-3421.html
   https://www.suse.com/security/cve/CVE-2021-3445.html
   https://bugzilla.suse.com/1183779