YOU update for libzypp

SUSE YOU Update: YOU update for libzypp
Announcement ID: SUSE-YU-2013:1408-2
Rating: important
References: #828672
Affected Products:
  • SUSE Manager Client Tools for SLE 11 SP1
  • SLE CLIENT TOOLS 10 for x86_64
  • SLE CLIENT TOOLS 10 for s390x
  • SLE CLIENT TOOLS 10 for ia64
  • SLE CLIENT TOOLS 10 for PPC
  • SLE CLIENT TOOLS 10

  • An update that fixes one vulnerability is now available.

    Description:


    libzypp did not handle multiple gpg pubkeys in the
    repomd.xml.key and content.key consistently and secure.
    Attackers could have exploited this to add their own keys
    and pretend it's from SUSE.

    Security Issue reference:

    * CVE-2013-3704
    >

    Special Instructions and Notes:

    This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application. This update triggers a restart of the software management stack. More updates will be available for installation after applying this update and restarting the application.

    Patch Instructions:

    To install this SUSE YOU Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Manager Client Tools for SLE 11 SP1:
      zypper in -t patch slesctsp1-libzypp-8360

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Manager Client Tools for SLE 11 SP1 (i586 ia64 ppc64 s390x x86_64):
    • libzypp-6.39.0-0.3.1
    • SLE CLIENT TOOLS 10 for x86_64 (x86_64):
    • libzypp-6.39.0-0.5.1
    • SLE CLIENT TOOLS 10 for s390x (s390x):
    • libzypp-6.39.0-0.5.1
    • SLE CLIENT TOOLS 10 for ia64 (ia64):
    • libzypp-6.39.0-0.5.1
    • SLE CLIENT TOOLS 10 for PPC (ppc):
    • libzypp-6.39.0-0.5.1
    • SLE CLIENT TOOLS 10 (i586):
    • libzypp-6.39.0-0.5.1

    References:

    • http://support.novell.com/security/cve/CVE-2013-3704.html
    • https://bugzilla.novell.com/828672
    • http://download.suse.com/patch/finder/?keywords=1580d4919b3e80f746b6ed3158079edf
    • http://download.suse.com/patch/finder/?keywords=69da9fdb4651190f06fc1b3973aaf523