openSUSE Security Update: Security update for zypper, libzypp and libsolv ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:1927-1 Rating: moderate References: #1047962 #1049826 #1053177 #1065022 #1099019 #1102261 #1110542 #1111319 #1112911 #1113296 #1114908 #1115341 #1116840 #1118758 #1119373 #1119820 #1119873 #1120263 #1120463 #1120629 #1120630 #1120631 #1121611 #1122062 #1122471 #1123137 #1123681 #1123843 #1123865 #1123967 #1124897 #1125415 #1127026 #1127155 #1127220 #1130161 #1131823 #1135749 #1137977 #663358 #764147 #965786 #978193 #993025 Cross-References: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that solves three vulnerabilities and has 41 fixes is now available. Description: This update for libzypp and libsolv fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Fixed bugs and enhancements: - make cleandeps jobs on patterns work (bnc#1137977) - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Virtualization host upgrade from SLES-15 to SLES-15-SP1 finished with wrong product name shown up (bsc#1131823). - Copy pattern categories from the rpm that defines the pattern (fate#323785). - Enhance scanning /sys for modaliases (bsc#1130161). - Prevent SEGV if the application sets an empty TextLocale (bsc#1127026). - Handle libgpgme error when gpg key is not completely read and user hits CTRL + C (bsc#1127220). - Added a hint when registration codes have expired (bsc#965786). - Adds a better handling of an error when verifying any repository medium (bsc#1065022). - Will now only write type field when probing (bsc#1114908). - Fixes an issue where zypper has showed the info message 'Installation aborted by user' while the installation was aborted by wicked (bsc#978193). - Suppresses reporting `/memfd:` pseudo files (bsc#1123843). - Fixes an issue where zypper was not able to install or uninstall packages when rpm is unavailable (bsc#1122471). - Fixes an issue where locks were ignored (bsc#1113296). - Simplify complex locks so zypper can display them (bsc#1112911). - zypper will now set `SYSTEMD_OFFLINE=1` during chrooted commits (bsc#1118758). - no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (fate#325513). - Removes world-readable bit from /var/log/zypp (bsc#1099019). - Does no longer fail service-refresh on a empty repoindex.xml (bsc#1116840). - Fixes soname due to libsolv ABI changes (bsc#1115341). - Add infrastructure to flag specific packages to trigger a reboot needed hint (fate#326451). This update for zypper 1.14.27 fixes the following issues: - bash-completion: add package completion for addlock (bsc#1047962) - bash-completion: fix incorrect detection of command names (bsc#1049826) - Offer to change the 'runSearchPackages' config option at the prompt (bsc#1119373, FATE#325599) - Prompt: provide a 'yes/no/always/never' prompt. - Prompt: support "#NUM" as answer to select the NUMth option... - Augeas: enable writing back changed option values (to ~/.zypper.conf) - removelocale: fix segfault - Move needs-restarting command to subpackage (fixes #254) - Allow empty string as argument (bsc#1125415) - Provide a way to delete cache for volatile repositories (bsc#1053177) - Adapt to boost-1.69 requiring explicit casts tribool->bool (fixes #255) - Show support status in info if not unknown (bsc#764147) - Fix installing plain rpm files with `zypper in` (bsc#1124897) - Show only required info in the summary in quiet mode (bsc#993025) - Stay with legacy behavior and return ZYPPER_EXIT_INF_REBOOT_NEEDED only for patches. We don't extend this return code to packages, although they may also carry the 'reboot-needed' attribute. The preferred way to test whether the system needs to be rebooted is `zypper needs-rebooting`. (openSUSE/zypper#237) - Skip repository on error (bsc#1123967) - New commands for locale management: locales addlocale removelocale Inspect and manipulate the systems `requested locales`, aka. the languages software packages should try support by installing translations, dictionaries and tools, as far as they are available. - Don't throw, just warn if options are repeated (bsc#1123865) - Fix detection whether stdout is a tty (happened too late) - Fix broken --plus-content switch (fixes bsc#1123681) - Fix broken --replacefiles switch (fixes bsc#1123137) - Extend zypper source-install (fixes bsc#663358) - Fix inconsistent results for search (bsc#1119873) - Show reboot hint in zypper ps and summary (fixes bsc#1120263) - Improve handling of partially locked packages (bsc#1113296) - Fix wrong default values in help text (bsc#1121611) - Fixed broken argument parsing for --reposd-dir (bsc#1122062) - Fix wrong zypp::indeterminate use (bsc#1120463) - CLI parser: fix broken initialization enforcing 'select by name' (bsc#1119820) - zypper.conf: [commit] autoAgreeWithLicenses {=false} (fixes #220) - locks: Fix printing of versioned locks (bsc#1112911) - locks: create and write versioned locks correctly (bsc#1112911) - patch: --with update may implicitly assume --with-optional (bsc#1102261) - no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (FATE#325513) - Optionally run "zypper search-packages" after "search" (FATE#325599) - zypper.conf: Add [search]runSearchPackages config variable. - Don't iterate twice on --no-cd (bsc#1111319) - zypper-log: Make it Python 3 compatible - man: mention /etc/zypp/needreboot config file (fate#326451, fixes #140) - Add `needs-restarting` shell script and manpage (fate#326451) - Add zypper needs-rebooting command (fate#326451) - Introduce new zypper command framefork. Migrated commands so far: addlock addrepo addservice clean cleanlocks modifyrepo modifyservice ps refresh refresh-services removelock removerepo removeservice renamerepo repos services - MediaChangeReport: fix https URLs causing 2 prompts on error (bsc#1110542) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2019-1927=1 Package List: - openSUSE Leap 15.0 (i586 x86_64): PackageKit-1.1.10-lp150.11.1 PackageKit-backend-zypp-1.1.10-lp150.11.1 PackageKit-backend-zypp-debuginfo-1.1.10-lp150.11.1 PackageKit-debuginfo-1.1.10-lp150.11.1 PackageKit-debugsource-1.1.10-lp150.11.1 PackageKit-devel-1.1.10-lp150.11.1 PackageKit-devel-debuginfo-1.1.10-lp150.11.1 PackageKit-gstreamer-plugin-1.1.10-lp150.11.1 PackageKit-gstreamer-plugin-debuginfo-1.1.10-lp150.11.1 PackageKit-gtk3-module-1.1.10-lp150.11.1 PackageKit-gtk3-module-debuginfo-1.1.10-lp150.11.1 libpackagekit-glib2-18-1.1.10-lp150.11.1 libpackagekit-glib2-18-debuginfo-1.1.10-lp150.11.1 libpackagekit-glib2-devel-1.1.10-lp150.11.1 libyui-ncurses-pkg-debugsource-2.48.5.2-lp150.7.1 libyui-ncurses-pkg-devel-2.48.5.2-lp150.7.1 libyui-ncurses-pkg8-2.48.5.2-lp150.7.1 libyui-ncurses-pkg8-debuginfo-2.48.5.2-lp150.7.1 libyui-qt-pkg-debugsource-2.45.15.2-lp150.7.1 libyui-qt-pkg-devel-2.45.15.2-lp150.7.1 libyui-qt-pkg8-2.45.15.2-lp150.7.1 libyui-qt-pkg8-debuginfo-2.45.15.2-lp150.7.1 typelib-1_0-PackageKitGlib-1_0-1.1.10-lp150.11.1 yast2-pkg-bindings-4.0.13-lp150.2.13.1 yast2-pkg-bindings-debuginfo-4.0.13-lp150.2.13.1 yast2-pkg-bindings-debugsource-4.0.13-lp150.2.13.1 - openSUSE Leap 15.0 (x86_64): libpackagekit-glib2-18-32bit-1.1.10-lp150.11.1 libpackagekit-glib2-18-32bit-debuginfo-1.1.10-lp150.11.1 libpackagekit-glib2-devel-32bit-1.1.10-lp150.11.1 libsolv-debuginfo-0.7.5-lp150.7.1 libsolv-debugsource-0.7.5-lp150.7.1 libsolv-demo-0.7.5-lp150.7.1 libsolv-demo-debuginfo-0.7.5-lp150.7.1 libsolv-devel-0.7.5-lp150.7.1 libsolv-devel-debuginfo-0.7.5-lp150.7.1 libsolv-tools-0.7.5-lp150.7.1 libsolv-tools-debuginfo-0.7.5-lp150.7.1 libzypp-17.12.0-lp150.2.13.1 libzypp-debuginfo-17.12.0-lp150.2.13.1 libzypp-debugsource-17.12.0-lp150.2.13.1 libzypp-devel-17.12.0-lp150.2.13.1 libzypp-devel-doc-17.12.0-lp150.2.13.1 perl-solv-0.7.5-lp150.7.1 perl-solv-debuginfo-0.7.5-lp150.7.1 python-solv-0.7.5-lp150.7.1 python-solv-debuginfo-0.7.5-lp150.7.1 python3-solv-0.7.5-lp150.7.1 python3-solv-debuginfo-0.7.5-lp150.7.1 ruby-solv-0.7.5-lp150.7.1 ruby-solv-debuginfo-0.7.5-lp150.7.1 zypper-1.14.28-lp150.2.13.1 zypper-debuginfo-1.14.28-lp150.2.13.1 zypper-debugsource-1.14.28-lp150.2.13.1 - openSUSE Leap 15.0 (noarch): PackageKit-branding-upstream-1.1.10-lp150.11.1 PackageKit-lang-1.1.10-lp150.11.1 zypper-aptitude-1.14.28-lp150.2.13.1 zypper-log-1.14.28-lp150.2.13.1 zypper-needs-restarting-1.14.28-lp150.2.13.1 References: https://www.suse.com/security/cve/CVE-2018-20532.html https://www.suse.com/security/cve/CVE-2018-20533.html https://www.suse.com/security/cve/CVE-2018-20534.html https://bugzilla.suse.com/1047962 https://bugzilla.suse.com/1049826 https://bugzilla.suse.com/1053177 https://bugzilla.suse.com/1065022 https://bugzilla.suse.com/1099019 https://bugzilla.suse.com/1102261 https://bugzilla.suse.com/1110542 https://bugzilla.suse.com/1111319 https://bugzilla.suse.com/1112911 https://bugzilla.suse.com/1113296 https://bugzilla.suse.com/1114908 https://bugzilla.suse.com/1115341 https://bugzilla.suse.com/1116840 https://bugzilla.suse.com/1118758 https://bugzilla.suse.com/1119373 https://bugzilla.suse.com/1119820 https://bugzilla.suse.com/1119873 https://bugzilla.suse.com/1120263 https://bugzilla.suse.com/1120463 https://bugzilla.suse.com/1120629 https://bugzilla.suse.com/1120630 https://bugzilla.suse.com/1120631 https://bugzilla.suse.com/1121611 https://bugzilla.suse.com/1122062 https://bugzilla.suse.com/1122471 https://bugzilla.suse.com/1123137 https://bugzilla.suse.com/1123681 https://bugzilla.suse.com/1123843 https://bugzilla.suse.com/1123865 https://bugzilla.suse.com/1123967 https://bugzilla.suse.com/1124897 https://bugzilla.suse.com/1125415 https://bugzilla.suse.com/1127026 https://bugzilla.suse.com/1127155 https://bugzilla.suse.com/1127220 https://bugzilla.suse.com/1130161 https://bugzilla.suse.com/1131823 https://bugzilla.suse.com/1135749 https://bugzilla.suse.com/1137977 https://bugzilla.suse.com/663358 https://bugzilla.suse.com/764147 https://bugzilla.suse.com/965786 https://bugzilla.suse.com/978193 https://bugzilla.suse.com/993025 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org