Security update for zypper, libzypp and libsolv

Announcement ID: SUSE-SU-2019:2030-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2018-20532 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-20533 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-20534 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-20534 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
  • Basesystem Module 15
  • Desktop Applications Module 15
  • Development Tools Module 15
  • SUSE Linux Enterprise Desktop 15
  • SUSE Linux Enterprise High Performance Computing 15
  • SUSE Linux Enterprise Server 15
  • SUSE Linux Enterprise Server for SAP Applications 15
  • SUSE Linux Enterprise Workstation Extension 15

An update that solves three vulnerabilities and has 41 security fixes can now be installed.

Description:

This update for libzypp and libsolv fixes the following issues:

Security issues fixed:

  • CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
  • CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
  • CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).

Fixed bugs and enhancements:

  • make cleandeps jobs on patterns work (bnc#1137977)
  • Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
  • Virtualization host upgrade from SLES-15 to SLES-15-SP1 finished with wrong product name shown up (bsc#1131823).
  • Copy pattern categories from the rpm that defines the pattern (fate#323785).
  • Enhance scanning /sys for modaliases (bsc#1130161).
  • Prevent SEGV if the application sets an empty TextLocale (bsc#1127026).
  • Handle libgpgme error when gpg key is not completely read and user hits CTRL + C (bsc#1127220).
  • Added a hint when registration codes have expired (bsc#965786).
  • Adds a better handling of an error when verifying any repository medium (bsc#1065022).
  • Will now only write type field when probing (bsc#1114908).
  • Fixes an issue where zypper has showed the info message 'Installation aborted by user' while the installation was aborted by wicked (bsc#978193).
  • Suppresses reporting /memfd: pseudo files (bsc#1123843).
  • Fixes an issue where zypper was not able to install or uninstall packages when rpm is unavailable (bsc#1122471).
  • Fixes an issue where locks were ignored (bsc#1113296).
  • Simplify complex locks so zypper can display them (bsc#1112911).
  • zypper will now set SYSTEMD_OFFLINE=1 during chrooted commits (bsc#1118758).
  • no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (fate#325513).
  • Removes world-readable bit from /var/log/zypp (bsc#1099019).
  • Does no longer fail service-refresh on a empty repoindex.xml (bsc#1116840).
  • Fixes soname due to libsolv ABI changes (bsc#1115341).
  • Add infrastructure to flag specific packages to trigger a reboot needed hint (fate#326451).

This update for zypper 1.14.27 fixes the following issues:

  • bash-completion: add package completion for addlock (bsc#1047962)
  • bash-completion: fix incorrect detection of command names (bsc#1049826)

  • Offer to change the 'runSearchPackages' config option at the prompt (bsc#1119373, FATE#325599)

  • Prompt: provide a 'yes/no/always/never' prompt.
  • Prompt: support "#NUM" as answer to select the NUMth option...
  • Augeas: enable writing back changed option values (to ~/.zypper.conf)
  • removelocale: fix segfault
  • Move needs-restarting command to subpackage (fixes #254)
  • Allow empty string as argument (bsc#1125415)
  • Provide a way to delete cache for volatile repositories (bsc#1053177)
  • Adapt to boost-1.69 requiring explicit casts tribool->bool (fixes #255)
  • Show support status in info if not unknown (bsc#764147)
  • Fix installing plain rpm files with zypper in (bsc#1124897)
  • Show only required info in the summary in quiet mode (bsc#993025)
  • Stay with legacy behavior and return ZYPPER_EXIT_INF_REBOOT_NEEDED only for patches. We don't extend this return code to packages, although they may also carry the 'reboot-needed' attribute. The preferred way to test whether the system needs to be rebooted is zypper needs-rebooting. (openSUSE/zypper#237)
  • Skip repository on error (bsc#1123967)
  • New commands for locale management: locales addlocale removelocale Inspect and manipulate the systems requested locales, aka. the languages software packages should try support by installing translations, dictionaries and tools, as far as they are available.
  • Don't throw, just warn if options are repeated (bsc#1123865)
  • Fix detection whether stdout is a tty (happened too late)
  • Fix broken --plus-content switch (fixes bsc#1123681)
  • Fix broken --replacefiles switch (fixes bsc#1123137)
  • Extend zypper source-install (fixes bsc#663358)
  • Fix inconsistent results for search (bsc#1119873)
  • Show reboot hint in zypper ps and summary (fixes bsc#1120263)
  • Improve handling of partially locked packages (bsc#1113296)
  • Fix wrong default values in help text (bsc#1121611)
  • Fixed broken argument parsing for --reposd-dir (bsc#1122062)
  • Fix wrong zypp::indeterminate use (bsc#1120463)
  • CLI parser: fix broken initialization enforcing 'select by name' (bsc#1119820)
  • zypper.conf: [commit] autoAgreeWithLicenses {=false} (fixes #220)
  • locks: Fix printing of versioned locks (bsc#1112911)
  • locks: create and write versioned locks correctly (bsc#1112911)
  • patch: --with update may implicitly assume --with-optional (bsc#1102261)
  • no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (FATE#325513)
  • Optionally run "zypper search-packages" after "search" (FATE#325599)
  • zypper.conf: Add [search]runSearchPackages config variable.
  • Don't iterate twice on --no-cd (bsc#1111319)
  • zypper-log: Make it Python 3 compatible
  • man: mention /etc/zypp/needreboot config file (fate#326451, fixes #140)
  • Add needs-restarting shell script and manpage (fate#326451)
  • Add zypper needs-rebooting command (fate#326451)
  • Introduce new zypper command framefork. Migrated commands so far: addlock addrepo addservice clean cleanlocks modifyrepo modifyservice ps refresh refresh-services removelock removerepo removeservice renamerepo repos services
  • MediaChangeReport: fix https URLs causing 2 prompts on error (bsc#1110542)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Basesystem Module 15
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2030=1
  • Desktop Applications Module 15
    zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-2019-2030=1
  • Development Tools Module 15
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2019-2030=1
  • SUSE Linux Enterprise Workstation Extension 15
    zypper in -t patch SUSE-SLE-Product-WE-15-2019-2030=1

Package List:

  • Basesystem Module 15 (aarch64 ppc64le s390x x86_64)
    • zypper-1.14.28-3.18.6
    • libyui-ncurses-pkg-devel-2.48.5.2-3.5.2
    • libsolv-tools-0.7.5-3.12.2
    • libyui-qt-pkg-debugsource-2.45.15.2-3.5.3
    • libzypp-debugsource-17.12.0-3.23.6
    • libyui-ncurses-pkg8-2.48.5.2-3.5.2
    • libyui-ncurses-pkg8-debuginfo-2.48.5.2-3.5.2
    • yast2-pkg-bindings-4.0.13-3.7.2
    • libzypp-devel-17.12.0-3.23.6
    • yast2-pkg-bindings-debugsource-4.0.13-3.7.2
    • libyui-qt-pkg8-debuginfo-2.45.15.2-3.5.3
    • python-solv-debuginfo-0.7.5-3.12.2
    • libzypp-17.12.0-3.23.6
    • python-solv-0.7.5-3.12.2
    • zypper-debugsource-1.14.28-3.18.6
    • libsolv-debuginfo-0.7.5-3.12.2
    • libsolv-tools-debuginfo-0.7.5-3.12.2
    • libsolv-debugsource-0.7.5-3.12.2
    • libzypp-debuginfo-17.12.0-3.23.6
    • libsolv-devel-0.7.5-3.12.2
    • yast2-pkg-bindings-debuginfo-4.0.13-3.7.2
    • libyui-ncurses-pkg-debugsource-2.48.5.2-3.5.2
    • libsolv-devel-debuginfo-0.7.5-3.12.2
    • libyui-qt-pkg8-2.45.15.2-3.5.3
    • zypper-debuginfo-1.14.28-3.18.6
  • Basesystem Module 15 (noarch)
    • libyui-qt-pkg-doc-2.45.15.2-3.5.3
    • libyui-ncurses-pkg-doc-2.48.5.2-3.5.3
    • zypper-log-1.14.28-3.18.6
  • Desktop Applications Module 15 (aarch64 ppc64le s390x x86_64)
    • libpackagekit-glib2-18-debuginfo-1.1.10-4.10.4
    • PackageKit-debuginfo-1.1.10-4.10.4
    • libpackagekit-glib2-devel-1.1.10-4.10.4
    • libpackagekit-glib2-18-1.1.10-4.10.4
    • PackageKit-devel-1.1.10-4.10.4
    • PackageKit-devel-debuginfo-1.1.10-4.10.4
    • PackageKit-1.1.10-4.10.4
    • PackageKit-backend-zypp-debuginfo-1.1.10-4.10.4
    • PackageKit-backend-zypp-1.1.10-4.10.4
    • PackageKit-debugsource-1.1.10-4.10.4
    • libyui-qt-pkg-debugsource-2.45.15.2-3.5.3
    • libyui-qt-pkg-devel-2.45.15.2-3.5.3
    • typelib-1_0-PackageKitGlib-1_0-1.1.10-4.10.4
  • Desktop Applications Module 15 (noarch)
    • PackageKit-lang-1.1.10-4.10.4
  • Development Tools Module 15 (aarch64 ppc64le s390x x86_64)
    • perl-solv-debuginfo-0.7.5-3.12.2
    • perl-solv-0.7.5-3.12.2
    • python3-solv-0.7.5-3.12.2
    • libsolv-debuginfo-0.7.5-3.12.2
    • libsolv-debugsource-0.7.5-3.12.2
    • ruby-solv-0.7.5-3.12.2
    • python3-solv-debuginfo-0.7.5-3.12.2
    • ruby-solv-debuginfo-0.7.5-3.12.2
  • SUSE Linux Enterprise Workstation Extension 15 (x86_64)
    • PackageKit-debuginfo-1.1.10-4.10.4
    • PackageKit-gstreamer-plugin-1.1.10-4.10.4
    • PackageKit-gtk3-module-1.1.10-4.10.4
    • PackageKit-gtk3-module-debuginfo-1.1.10-4.10.4
    • PackageKit-debugsource-1.1.10-4.10.4
    • PackageKit-gstreamer-plugin-debuginfo-1.1.10-4.10.4

References: