SUSE-SU-2018:2690-1

Описание

This update for libzypp, zypper, libsolv provides the following fixes:

Security fixes in libzypp:

• CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705)
• CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)

Changes in libzypp:

• Update to version 17.6.4
• Automatically fetch repository signing key from gpgkey url (bsc#1088037)
• lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
• Check for not imported keys after multi key import from rpmdb (bsc#1096217)
• Flags: make it std=c++14 ready
• Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
• Show GPGME version in log
• Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427)
• RepoInfo::provideKey: add report telling where we look for missing keys.
• Support listing gpgkey URLs in repo files (bsc#1088037)
• Add new report to request user approval for importing a package key
• Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
• Add filesize check for downloads with known size (bsc#408814)
• Removed superfluous space in translation (bsc#1102019)
• Prevent the system from sleeping during a commit
• RepoManager: Explicitly request repo2solv to generate application pseudo packages.
• libzypp-devel should not require cmake (bsc#1101349)
• Avoid zombies from ExternalProgram
• Update ApiConfig
• HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803)
• lsof: use '-K i' if lsof supports it (bsc#1099847)
• Add filesize check for downloads with known size (bsc#408814)
• Fix detection of metalink downloads and prevent aborting if a metalink file is larger than the expected data file.
• Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
• Make use of %license macro (bsc#1082318)

Security fix in zypper:

• CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

Changes in zypper:

• Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103)
• Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217)
• Detect read only filesystem on system modifying operations (fixes #199)
• Use %license (bsc#1082318)
• Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178)
• Fix broken display of detailed query results.
• Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770)
• Disable repository operations when searching installed packages. (bsc#1084525)
• Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
• ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413)
• Fix some translation errors.
• Support listing gpgkey URLs in repo files (bsc#1088037)
• Check for root privileges in zypper verify and si (bsc#1058515)
• XML attribute packages-to-change added (bsc#1102429)
• Add expert (allow-*) options to all installer commands (bsc#428822)
• Sort search results by multiple columns (bsc#1066215)
• man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
• Set error status if repositories passed to lr and ref are not known (bsc#1093103)
• Do not override table style in search
• Fix out of bound read in MbsIterator
• Add --supplements switch to search and info
• Add setter functions for zypp cache related config values to ZConfig

Changes in libsolv:

• convert repo2solv.sh script into a binary tool
• Make use of %license macro (bsc#1082318)