Security update for libzypp, zypper

Announcement ID: SUSE-SU-2018:2688-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2017-7435 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-7435 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-7436 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-7436 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-9269 ( SUSE ): 7.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
  • CVE-2017-9269 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-7685 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-7685 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2

An update that solves four vulnerabilities and has 13 security fixes can now be installed.

Description:

This update for libzypp, zypper fixes the following issues:

libzypp security fixes:

  • PackageProvider: Validate delta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
  • PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
  • Be sure bad packages do not stay in the cache (bsc#1045735, CVE-2017-9269)
  • Fix repo gpg check workflows, mainly for unsigned repos and packages (bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269)

libzypp other changes/bugs fixed:

  • Update to version 14.45.17
  • RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735)
  • repo refresh: Re-probe if the repository type changes (bsc#1048315)
  • Use common workflow for downloading packages and srcpackages. This includes a common way of handling and reporting gpg signature and checks. (bsc#1037210)
  • PackageProvider: as well support downloading SrcPackage (for bsc#1037210)
  • Adapt to work with GnuPG 2.1.23 (bsc#1054088)
  • repo refresh: Re-probe if the repository type changes (bsc#1048315)
  • Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
  • RepoManager: Explicitly request repo2solv to generate application pseudo packages.
  • Prefer calling "repo2solv" rather than "repo2solv.sh"
  • libzypp-devel should not require cmake (bsc#1101349)
  • HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803)
  • Avoid zombie tar processes (bsc#1076192)
  • lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)

zypper security fixes:

  • Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
  • add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269)
  • Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436)

zypper other changes/bugs fixed:

  • Update to version 1.11.70
  • Bugfix: Prevent ESC sequence strings from going out of scope (bsc#1092413)
  • XML <install-summary> attribute packages-to-change added (bsc#1102429)
  • man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
  • ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
  • do not recommend cron (bsc#1079334)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
    zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2688=1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-ESPOS-2018-2688=1
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2688=1

Package List:

  • SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
    • kgraft-patch-4_4_121-92_98-default-2-2.1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (x86_64)
    • kgraft-patch-4_4_121-92_98-default-2-2.1
  • SUSE Linux Enterprise Server 12 SP2 LTSS 12-SP2 (ppc64le x86_64)
    • kgraft-patch-4_4_121-92_98-default-2-2.1

References: