Security update for libzypp, zypper

Announcement ID: SUSE-SU-2018:2716-2
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2017-9269 ( SUSE ): 7.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
  • CVE-2017-9269 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-7685 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-7685 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2

An update that solves two vulnerabilities and has 12 security fixes can now be installed.

Description:

This update for libzypp, zypper provides the following fixes:

Update libzypp to version 16.17.20

Security issues fixed:

  • PackageProvider: Validate delta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
  • PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685)

Other bugs fixed:

  • lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
  • Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
  • RepoManager: Explicitly request repo2solv to generate application pseudo packages.
  • libzypp-devel should not require cmake (bsc#1101349)
  • HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803)
  • Avoid zombie tar processes (bsc#1076192)

Update to zypper to version 1.13.45

Security issue fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269)

Other bugs fixed:

  • XML <install-summary> attribute packages-to-change added (bsc#1102429)
  • man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
  • Prevent nested calls to exit() if aborted by a signal (bsc#1092413)
  • ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
  • Fix: zypper bash completion expands non-existing options (bsc#1049825)
  • do not recommend cron (bsc#1079334)
  • Improve signature check callback messages (bsc#1045735)
  • add/modify repo: Add options to tune the GPG check settings (bsc#1045735)

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-1905=1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-ESPOS-2018-1905=1

Package List:

  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
    • libzypp-debugsource-16.17.20-27.52.1
    • zypper-1.13.45-18.33.1
    • libzypp-16.17.20-27.52.1
    • libzypp-debuginfo-16.17.20-27.52.1
    • zypper-debugsource-1.13.45-18.33.1
    • zypper-debuginfo-1.13.45-18.33.1
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (noarch)
    • zypper-log-1.13.45-18.33.1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (x86_64)
    • libzypp-debugsource-16.17.20-27.52.1
    • zypper-1.13.45-18.33.1
    • libzypp-16.17.20-27.52.1
    • libzypp-debuginfo-16.17.20-27.52.1
    • zypper-debugsource-1.13.45-18.33.1
    • zypper-debuginfo-1.13.45-18.33.1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (noarch)
    • zypper-log-1.13.45-18.33.1

References: