Описание
Security update for libzypp, zypper
This update for libzypp, zypper fixes the following issues:
Update libzypp to version 16.17.20:
Security issues fixed:
- PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
- PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
Other bugs fixed:
- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- RepoManager: Explicitly request repo2solv to generate application pseudo packages.
- libzypp-devel should not require cmake (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803)
- Avoid zombie tar processes (bsc#1076192)
Update to zypper to version 1.13.45:
Security issues fixed:
- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269)
Other bugs fixed:
- XML attribute
packages-to-changeadded (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
- Prevent nested calls to exit() if aborted by a signal (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
- Fix: zypper bash completion expands non-existing options (bsc#1049825)
- Improve signature check callback messages (bsc#1045735)
- add/modify repo: Add options to tune the GPG check settings (bsc#1045735)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP3
libzypp-16.17.20-2.33.2
zypper-1.13.45-21.21.2
zypper-log-1.13.45-21.21.2
SUSE Linux Enterprise Server 12 SP3
libzypp-16.17.20-2.33.2
zypper-1.13.45-21.21.2
zypper-log-1.13.45-21.21.2
SUSE Linux Enterprise Server for SAP Applications 12 SP3
libzypp-16.17.20-2.33.2
zypper-1.13.45-21.21.2
zypper-log-1.13.45-21.21.2
SUSE Linux Enterprise Software Development Kit 12 SP3
libzypp-devel-16.17.20-2.33.2
libzypp-devel-doc-16.17.20-2.33.2
Ссылки
- Link for SUSE-SU-2018:2814-1
- E-Mail link for SUSE-SU-2018:2814-1
- SUSE Security Ratings
- SUSE Bug 1036304
- SUSE Bug 1045735
- SUSE Bug 1049825
- SUSE Bug 1070851
- SUSE Bug 1076192
- SUSE Bug 1088705
- SUSE Bug 1091624
- SUSE Bug 1092413
- SUSE Bug 1096803
- SUSE Bug 1099847
- SUSE Bug 1100028
- SUSE Bug 1101349
- SUSE Bug 1102429
- SUSE CVE CVE-2017-9269 page
- SUSE CVE CVE-2018-7685 page
Описание
In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP3:libzypp-16.17.20-2.33.2
SUSE Linux Enterprise Desktop 12 SP3:zypper-1.13.45-21.21.2
SUSE Linux Enterprise Desktop 12 SP3:zypper-log-1.13.45-21.21.2
SUSE Linux Enterprise Server 12 SP3:libzypp-16.17.20-2.33.2
Ссылки
- CVE-2017-9269
- SUSE Bug 1038984
- SUSE Bug 1045735
Описание
The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP3:libzypp-16.17.20-2.33.2
SUSE Linux Enterprise Desktop 12 SP3:zypper-1.13.45-21.21.2
SUSE Linux Enterprise Desktop 12 SP3:zypper-log-1.13.45-21.21.2
SUSE Linux Enterprise Server 12 SP3:libzypp-16.17.20-2.33.2
Ссылки
- CVE-2018-7685
- SUSE Bug 1045735
- SUSE Bug 1088705
- SUSE Bug 1091624