Security update for zypper, libzypp and libsolv
SUSE Security Update: Security update for zypper, libzypp and libsolv
Fixed bugs and enhancements:
This update for zypper 1.14.27 fixes the following issues:
Announcement ID: | SUSE-SU-2019:2030-1 |
Rating: | moderate |
References: | #1047962 #1049826 #1053177 #1065022 #1099019 #1102261 #1110542 #1111319 #1112911 #1113296 #1114908 #1115341 #1116840 #1118758 #1119373 #1119820 #1119873 #1120263 #1120463 #1120629 #1120630 #1120631 #1121611 #1122062 #1122471 #1123137 #1123681 #1123843 #1123865 #1123967 #1124897 #1125415 #1127026 #1127155 #1127220 #1130161 #1131823 #1135749 #1137977 #663358 #764147 #965786 #978193 #993025 |
Cross-References: | CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 |
Affected Products: |
|
An update that solves three vulnerabilities and has 41 fixes is now available.
Description:
This update for libzypp and libsolv fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
- CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
- CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).
Fixed bugs and enhancements:
- make cleandeps jobs on patterns work (bnc#1137977)
- Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
- Virtualization host upgrade from SLES-15 to SLES-15-SP1 finished with wrong product name shown up (bsc#1131823).
- Copy pattern categories from the rpm that defines the pattern (fate#323785).
- Enhance scanning /sys for modaliases (bsc#1130161).
- Prevent SEGV if the application sets an empty TextLocale (bsc#1127026).
- Handle libgpgme error when gpg key is not completely read and user hits CTRL + C (bsc#1127220).
- Added a hint when registration codes have expired (bsc#965786).
- Adds a better handling of an error when verifying any repository medium (bsc#1065022).
- Will now only write type field when probing (bsc#1114908).
- Fixes an issue where zypper has showed the info message 'Installation aborted by user' while the installation was aborted by wicked (bsc#978193).
- Suppresses reporting `/memfd:` pseudo files (bsc#1123843).
- Fixes an issue where zypper was not able to install or uninstall packages when rpm is unavailable (bsc#1122471).
- Fixes an issue where locks were ignored (bsc#1113296).
- Simplify complex locks so zypper can display them (bsc#1112911).
- zypper will now set `SYSTEMD_OFFLINE=1` during chrooted commits (bsc#1118758).
- no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (fate#325513).
- Removes world-readable bit from /var/log/zypp (bsc#1099019).
- Does no longer fail service-refresh on a empty repoindex.xml (bsc#1116840).
- Fixes soname due to libsolv ABI changes (bsc#1115341).
- Add infrastructure to flag specific packages to trigger a reboot needed hint (fate#326451).
This update for zypper 1.14.27 fixes the following issues:
- bash-completion: add package completion for addlock (bsc#1047962)
- bash-completion: fix incorrect detection of command names (bsc#1049826)
- Offer to change the 'runSearchPackages' config option at the prompt (bsc#1119373, FATE#325599)
- Prompt: provide a 'yes/no/always/never' prompt.
- Prompt: support "#NUM" as answer to select the NUMth option...
- Augeas: enable writing back changed option values (to ~/.zypper.conf)
- removelocale: fix segfault
- Move needs-restarting command to subpackage (fixes #254)
- Allow empty string as argument (bsc#1125415)
- Provide a way to delete cache for volatile repositories (bsc#1053177)
- Adapt to boost-1.69 requiring explicit casts tribool->bool (fixes #255)
- Show support status in info if not unknown (bsc#764147)
- Fix installing plain rpm files with `zypper in` (bsc#1124897)
- Show only required info in the summary in quiet mode (bsc#993025)
- Stay with legacy behavior and return ZYPPER_EXIT_INF_REBOOT_NEEDED only for patches. We don't extend this return code to packages, although they may also carry the 'reboot-needed' attribute. The preferred way to test whether the system needs to be rebooted is `zypper needs-rebooting`. (openSUSE/zypper#237)
- Skip repository on error (bsc#1123967)
- New commands for locale management: locales addlocale removelocale Inspect and manipulate the systems `requested locales`, aka. the languages software packages should try support by installing translations, dictionaries and tools, as far as they are available.
- Don't throw, just warn if options are repeated (bsc#1123865)
- Fix detection whether stdout is a tty (happened too late)
- Fix broken --plus-content switch (fixes bsc#1123681)
- Fix broken --replacefiles switch (fixes bsc#1123137)
- Extend zypper source-install (fixes bsc#663358)
- Fix inconsistent results for search (bsc#1119873)
- Show reboot hint in zypper ps and summary (fixes bsc#1120263)
- Improve handling of partially locked packages (bsc#1113296)
- Fix wrong default values in help text (bsc#1121611)
- Fixed broken argument parsing for --reposd-dir (bsc#1122062)
- Fix wrong zypp::indeterminate use (bsc#1120463)
- CLI parser: fix broken initialization enforcing 'select by name' (bsc#1119820)
- zypper.conf: [commit] autoAgreeWithLicenses {=false} (fixes #220)
- locks: Fix printing of versioned locks (bsc#1112911)
- locks: create and write versioned locks correctly (bsc#1112911)
- patch: --with update may implicitly assume --with-optional (bsc#1102261)
- no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (FATE#325513)
- Optionally run "zypper search-packages" after "search" (FATE#325599)
- zypper.conf: Add [search]runSearchPackages config variable.
- Don't iterate twice on --no-cd (bsc#1111319)
- zypper-log: Make it Python 3 compatible
- man: mention /etc/zypp/needreboot config file (fate#326451, fixes #140)
- Add `needs-restarting` shell script and manpage (fate#326451)
- Add zypper needs-rebooting command (fate#326451)
- Introduce new zypper command framefork. Migrated commands so far: addlock addrepo addservice clean cleanlocks modifyrepo modifyservice ps refresh refresh-services removelock removerepo removeservice renamerepo repos services
- MediaChangeReport: fix https URLs causing 2 prompts on error (bsc#1110542)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Workstation Extension 15:
zypper in -t patch SUSE-SLE-Product-WE-15-2019-2030=1
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1:
zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2030=1
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2030=1
- SUSE Linux Enterprise Module for Development Tools 15:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-2030=1
- SUSE Linux Enterprise Module for Desktop Applications 15:
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-2030=1
- SUSE Linux Enterprise Module for Basesystem 15:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2030=1
- SUSE Linux Enterprise Installer 15:
zypper in -t patch SUSE-SLE-INSTALLER-15-2019-2030=1
Package List:
- SUSE Linux Enterprise Workstation Extension 15 (x86_64):
- PackageKit-debuginfo-1.1.10-4.10.4
- PackageKit-debugsource-1.1.10-4.10.4
- PackageKit-gstreamer-plugin-1.1.10-4.10.4
- PackageKit-gstreamer-plugin-debuginfo-1.1.10-4.10.4
- PackageKit-gtk3-module-1.1.10-4.10.4
- PackageKit-gtk3-module-debuginfo-1.1.10-4.10.4
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64):
- libsolv-debuginfo-0.7.5-3.12.2
- libsolv-debugsource-0.7.5-3.12.2
- libsolv-demo-0.7.5-3.12.2
- libsolv-demo-debuginfo-0.7.5-3.12.2
- libyui-ncurses-pkg-debugsource-2.48.5.2-3.5.2
- libyui-ncurses-pkg8-2.48.5.2-3.5.2
- libyui-ncurses-pkg8-debuginfo-2.48.5.2-3.5.2
- libyui-qt-pkg-debugsource-2.45.15.2-3.5.3
- libyui-qt-pkg8-2.45.15.2-3.5.3
- libyui-qt-pkg8-debuginfo-2.45.15.2-3.5.3
- libzypp-debuginfo-17.12.0-3.23.6
- libzypp-debugsource-17.12.0-3.23.6
- libzypp-devel-doc-17.12.0-3.23.6
- python-solv-0.7.5-3.12.2
- python-solv-debuginfo-0.7.5-3.12.2
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch):
- zypper-aptitude-1.14.28-3.18.6
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64):
- libsolv-debuginfo-0.7.5-3.12.2
- libsolv-debugsource-0.7.5-3.12.2
- libsolv-demo-0.7.5-3.12.2
- libsolv-demo-debuginfo-0.7.5-3.12.2
- libzypp-debuginfo-17.12.0-3.23.6
- libzypp-debugsource-17.12.0-3.23.6
- libzypp-devel-doc-17.12.0-3.23.6
- SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch):
- PackageKit-branding-upstream-1.1.10-4.10.4
- yast2-pkg-bindings-devel-doc-4.0.13-3.7.2
- zypper-aptitude-1.14.28-3.18.6
- SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64):
- libsolv-debuginfo-0.7.5-3.12.2
- libsolv-debugsource-0.7.5-3.12.2
- perl-solv-0.7.5-3.12.2
- perl-solv-debuginfo-0.7.5-3.12.2
- python3-solv-0.7.5-3.12.2
- python3-solv-debuginfo-0.7.5-3.12.2
- ruby-solv-0.7.5-3.12.2
- ruby-solv-debuginfo-0.7.5-3.12.2
- SUSE Linux Enterprise Module for Desktop Applications 15 (aarch64 ppc64le s390x x86_64):
- PackageKit-1.1.10-4.10.4
- PackageKit-backend-zypp-1.1.10-4.10.4
- PackageKit-backend-zypp-debuginfo-1.1.10-4.10.4
- PackageKit-debuginfo-1.1.10-4.10.4
- PackageKit-debugsource-1.1.10-4.10.4
- PackageKit-devel-1.1.10-4.10.4
- PackageKit-devel-debuginfo-1.1.10-4.10.4
- libpackagekit-glib2-18-1.1.10-4.10.4
- libpackagekit-glib2-18-debuginfo-1.1.10-4.10.4
- libpackagekit-glib2-devel-1.1.10-4.10.4
- libyui-qt-pkg-debugsource-2.45.15.2-3.5.3
- libyui-qt-pkg-devel-2.45.15.2-3.5.3
- typelib-1_0-PackageKitGlib-1_0-1.1.10-4.10.4
- SUSE Linux Enterprise Module for Desktop Applications 15 (noarch):
- PackageKit-lang-1.1.10-4.10.4
- SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64):
- libsolv-debuginfo-0.7.5-3.12.2
- libsolv-debugsource-0.7.5-3.12.2
- libsolv-devel-0.7.5-3.12.2
- libsolv-devel-debuginfo-0.7.5-3.12.2
- libsolv-tools-0.7.5-3.12.2
- libsolv-tools-debuginfo-0.7.5-3.12.2
- libyui-ncurses-pkg-debugsource-2.48.5.2-3.5.2
- libyui-ncurses-pkg-devel-2.48.5.2-3.5.2
- libyui-ncurses-pkg8-2.48.5.2-3.5.2
- libyui-ncurses-pkg8-debuginfo-2.48.5.2-3.5.2
- libyui-qt-pkg-debugsource-2.45.15.2-3.5.3
- libyui-qt-pkg8-2.45.15.2-3.5.3
- libyui-qt-pkg8-debuginfo-2.45.15.2-3.5.3
- libzypp-17.12.0-3.23.6
- libzypp-debuginfo-17.12.0-3.23.6
- libzypp-debugsource-17.12.0-3.23.6
- libzypp-devel-17.12.0-3.23.6
- python-solv-0.7.5-3.12.2
- python-solv-debuginfo-0.7.5-3.12.2
- yast2-pkg-bindings-4.0.13-3.7.2
- yast2-pkg-bindings-debuginfo-4.0.13-3.7.2
- yast2-pkg-bindings-debugsource-4.0.13-3.7.2
- zypper-1.14.28-3.18.6
- zypper-debuginfo-1.14.28-3.18.6
- zypper-debugsource-1.14.28-3.18.6
- SUSE Linux Enterprise Module for Basesystem 15 (noarch):
- libyui-ncurses-pkg-doc-2.48.5.2-3.5.3
- libyui-qt-pkg-doc-2.45.15.2-3.5.3
- zypper-log-1.14.28-3.18.6
- SUSE Linux Enterprise Installer 15 (aarch64 ppc64le s390x x86_64):
- libsolv-tools-0.7.5-3.12.2
- libyui-ncurses-pkg8-2.48.5.2-3.5.2
- libyui-qt-pkg8-2.45.15.2-3.5.3
- libzypp-17.12.0-3.23.6
- yast2-pkg-bindings-4.0.13-3.7.2
- zypper-1.14.28-3.18.6
References:
- https://www.suse.com/security/cve/CVE-2018-20532.html
- https://www.suse.com/security/cve/CVE-2018-20533.html
- https://www.suse.com/security/cve/CVE-2018-20534.html
- https://bugzilla.suse.com/1047962
- https://bugzilla.suse.com/1049826
- https://bugzilla.suse.com/1053177
- https://bugzilla.suse.com/1065022
- https://bugzilla.suse.com/1099019
- https://bugzilla.suse.com/1102261
- https://bugzilla.suse.com/1110542
- https://bugzilla.suse.com/1111319
- https://bugzilla.suse.com/1112911
- https://bugzilla.suse.com/1113296
- https://bugzilla.suse.com/1114908
- https://bugzilla.suse.com/1115341
- https://bugzilla.suse.com/1116840
- https://bugzilla.suse.com/1118758
- https://bugzilla.suse.com/1119373
- https://bugzilla.suse.com/1119820
- https://bugzilla.suse.com/1119873
- https://bugzilla.suse.com/1120263
- https://bugzilla.suse.com/1120463
- https://bugzilla.suse.com/1120629
- https://bugzilla.suse.com/1120630
- https://bugzilla.suse.com/1120631
- https://bugzilla.suse.com/1121611
- https://bugzilla.suse.com/1122062
- https://bugzilla.suse.com/1122471
- https://bugzilla.suse.com/1123137
- https://bugzilla.suse.com/1123681
- https://bugzilla.suse.com/1123843
- https://bugzilla.suse.com/1123865
- https://bugzilla.suse.com/1123967
- https://bugzilla.suse.com/1124897
- https://bugzilla.suse.com/1125415
- https://bugzilla.suse.com/1127026
- https://bugzilla.suse.com/1127155
- https://bugzilla.suse.com/1127220
- https://bugzilla.suse.com/1130161
- https://bugzilla.suse.com/1131823
- https://bugzilla.suse.com/1135749
- https://bugzilla.suse.com/1137977
- https://bugzilla.suse.com/663358
- https://bugzilla.suse.com/764147
- https://bugzilla.suse.com/965786
- https://bugzilla.suse.com/978193
- https://bugzilla.suse.com/993025