Recommended update for libzypp, zypper, libsolv and PackageKit

Announcement ID:	SUSE-RU-2019:2742-1
Rating:	important
References:	bsc#1049825 bsc#1116995 bsc#1120629 bsc#1120630 bsc#1120631 bsc#1127155 bsc#1127608 bsc#1130306 bsc#1131113 bsc#1131823 bsc#1134226 bsc#1135749 bsc#1137977 bsc#1139795 bsc#1140039 bsc#1145521 bsc#1146027 bsc#1146415 bsc#1146947 bsc#1153557 bsc#859480
Cross-References:	CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
CVSS scores:	CVE-2018-20532 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-20533 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2018-20534 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2018-20534 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP1 Desktop Applications Module 15-SP1 Development Tools Module 15-SP1 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Workstation Extension 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0 SUSE Package Hub 15 15-SP1

An update that solves three vulnerabilities and has 18 fixes can now be installed.

Description:

This update for libzypp, zypper, libsolv and PackageKit fixes the following issues:

Security issues fixed in libsolv:

• CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
• CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
• CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).

Other issues addressed in libsolv:

• Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
• Fixed an issue with the package name (bsc#1131823).
• repo_add_rpmdb: do not copy bad solvables from the old solv file
• Fixed an issue with cleandeps updates in which all packages were not updated
• Experimental DISTTYPE_CONDA and REL_CONDA support
• Fixed cleandeps jobs when using patterns (bsc#1137977)
• Fixed favorq leaking between solver runs if the solver is reused
• Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason
• Be more correct with multiversion packages that obsolete their own name (bnc#1127155)
• Fix repository priority handling for multiversion packages
• Make code compatible with swig 4.0, remove obj0 instances
• repo2solv: support zchunk compressed data
• Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives

Issues fixed in libzypp:

• Fix empty metalink downloads if filesize is unknown (bsc#1153557)
• Recognize riscv64 as architecture
• Fix installation of new header file (fixes #185)
• zypp.conf: Introduce solver.focus to define the resolvers general attitude when resolving jobs. (bsc#1146415)
• New container detection algorithm for zypper ps (bsc#1146947)
• Fix leaking filedescriptors in MediaCurl. (bsc#1116995)
• Run file conflict check on dry-run. (bsc#1140039)
• Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795)
• Rephrase file conflict check summary. (bsc#1140039)
• Fix bash completions option detection. (bsc#1049825)
• Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521)
• Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027)
• PublicKey::algoName: supply key algorithm and length

Issues fixed in zypper:

• Update to version 1.14.30
• Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521)
• Dump stacktrace on SIGPIPE (bsc#1145521)
• info: The requested info must be shown in QUIET mode (fixes #287)
• Fix local/remote url classification.
• Rephrase file conflict check summary (bsc#1140039)
• Fix bash completions option detection (bsc#1049825)
• man: split '--with[out]' like options to ease searching.
• Unhided 'ps' command in help
• Added option to show more conflict information
• Rephrased zypper ps hint (bsc#859480)
• Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226)
• Fixed unknown package handling in zypper install (bsc#1127608)
• Re-show progress bar after pressing retry upon install error (bsc#1131113)

Issues fixed in PackageKit:

• Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306).

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2742=1
• Desktop Applications Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2742=1
• Development Tools Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-2742=1
• SUSE Package Hub 15 15-SP1
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2019-2742=1
• SUSE Linux Enterprise Workstation Extension 15 SP1
  zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-2742=1

Package List:

• Basesystem Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • libzypp-debugsource-17.15.0-3.9.1
  • libyui-qt-pkg-debugsource-2.45.27-3.3.5
  • libsolv-devel-debuginfo-0.7.6-3.7.2
  • libyui-qt-pkg9-2.45.27-3.3.5
  • libsolv-debugsource-0.7.6-3.7.2
  • libsolv-debuginfo-0.7.6-3.7.2
  • libyui-ncurses-pkg9-debuginfo-2.48.9-7.3.5
  • libsolv-tools-0.7.6-3.7.2
  • yast2-pkg-bindings-debuginfo-4.1.2-3.3.5
  • python3-solv-0.7.6-3.7.2
  • zypper-1.14.30-3.7.2
  • libzypp-17.15.0-3.9.1
  • yast2-pkg-bindings-debugsource-4.1.2-3.3.5
  • libsolv-tools-debuginfo-0.7.6-3.7.2
  • python3-solv-debuginfo-0.7.6-3.7.2
  • libyui-ncurses-pkg9-2.48.9-7.3.5
  • yast2-pkg-bindings-4.1.2-3.3.5
  • zypper-debuginfo-1.14.30-3.7.2
  • libyui-qt-pkg9-debuginfo-2.45.27-3.3.5
  • libyui-ncurses-pkg-debugsource-2.48.9-7.3.5
  • zypper-debugsource-1.14.30-3.7.2
  • libsolv-devel-0.7.6-3.7.2
  • libzypp-debuginfo-17.15.0-3.9.1
  • libzypp-devel-17.15.0-3.9.1
  • libyui-ncurses-pkg-devel-2.48.9-7.3.5
• Basesystem Module 15-SP1 (noarch)
  • libyui-qt-pkg-doc-2.45.27-3.3.3
  • libyui-ncurses-pkg-doc-2.48.9-7.3.3
  • zypper-needs-restarting-1.14.30-3.7.2
  • zypper-log-1.14.30-3.7.2
• Desktop Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • libpackagekit-glib2-18-1.1.10-12.3.5
  • PackageKit-1.1.10-12.3.5
  • typelib-1_0-PackageKitGlib-1_0-1.1.10-12.3.5
  • libyui-qt-pkg-debugsource-2.45.27-3.3.5
  • libyui-qt-pkg-devel-2.45.27-3.3.5
  • PackageKit-debugsource-1.1.10-12.3.5
  • PackageKit-debuginfo-1.1.10-12.3.5
  • PackageKit-devel-1.1.10-12.3.5
  • PackageKit-devel-debuginfo-1.1.10-12.3.5
  • libpackagekit-glib2-devel-1.1.10-12.3.5
  • PackageKit-backend-zypp-debuginfo-1.1.10-12.3.5
  • PackageKit-backend-zypp-1.1.10-12.3.5
  • libpackagekit-glib2-18-debuginfo-1.1.10-12.3.5
• Desktop Applications Module 15-SP1 (noarch)
  • PackageKit-lang-1.1.10-12.3.5
• Development Tools Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • perl-solv-0.7.6-3.7.2
  • ruby-solv-debuginfo-0.7.6-3.7.2
  • perl-solv-debuginfo-0.7.6-3.7.2
  • libsolv-debugsource-0.7.6-3.7.2
  • libsolv-debuginfo-0.7.6-3.7.2
  • ruby-solv-0.7.6-3.7.2
• SUSE Package Hub 15 15-SP1 (aarch64 ppc64le s390x x86_64)
  • python-solv-debuginfo-0.7.6-3.7.2
  • libsolv-debuginfo-0.7.6-3.7.2
  • python-solv-0.7.6-3.7.2
  • libsolv-debugsource-0.7.6-3.7.2
• SUSE Linux Enterprise Workstation Extension 15 SP1 (x86_64)
  • PackageKit-gstreamer-plugin-1.1.10-12.3.5
  • PackageKit-gtk3-module-1.1.10-12.3.5
  • PackageKit-gtk3-module-debuginfo-1.1.10-12.3.5
  • PackageKit-debugsource-1.1.10-12.3.5
  • PackageKit-debuginfo-1.1.10-12.3.5
  • PackageKit-gstreamer-plugin-debuginfo-1.1.10-12.3.5

References:

• https://www.suse.com/security/cve/CVE-2018-20532.html
• https://www.suse.com/security/cve/CVE-2018-20533.html
• https://www.suse.com/security/cve/CVE-2018-20534.html
• https://bugzilla.suse.com/show_bug.cgi?id=1049825
• https://bugzilla.suse.com/show_bug.cgi?id=1116995
• https://bugzilla.suse.com/show_bug.cgi?id=1120629
• https://bugzilla.suse.com/show_bug.cgi?id=1120630
• https://bugzilla.suse.com/show_bug.cgi?id=1120631
• https://bugzilla.suse.com/show_bug.cgi?id=1127155
• https://bugzilla.suse.com/show_bug.cgi?id=1127608
• https://bugzilla.suse.com/show_bug.cgi?id=1130306
• https://bugzilla.suse.com/show_bug.cgi?id=1131113
• https://bugzilla.suse.com/show_bug.cgi?id=1131823
• https://bugzilla.suse.com/show_bug.cgi?id=1134226
• https://bugzilla.suse.com/show_bug.cgi?id=1135749
• https://bugzilla.suse.com/show_bug.cgi?id=1137977
• https://bugzilla.suse.com/show_bug.cgi?id=1139795
• https://bugzilla.suse.com/show_bug.cgi?id=1140039
• https://bugzilla.suse.com/show_bug.cgi?id=1145521
• https://bugzilla.suse.com/show_bug.cgi?id=1146027
• https://bugzilla.suse.com/show_bug.cgi?id=1146415
• https://bugzilla.suse.com/show_bug.cgi?id=1146947
• https://bugzilla.suse.com/show_bug.cgi?id=1153557
• https://bugzilla.suse.com/show_bug.cgi?id=859480