openSUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0059-1 Rating: moderate References: #1050625 #1174016 #1177238 #1177275 #1177427 #1177583 #1178910 #1178966 #1179083 #1179222 #1179415 #1179909 Cross-References: CVE-2017-9271 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that solves one vulnerability and has 11 fixes is now available. Description: This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-59=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): libzypp-17.25.5-lp152.2.16.1 libzypp-debuginfo-17.25.5-lp152.2.16.1 libzypp-debugsource-17.25.5-lp152.2.16.1 libzypp-devel-17.25.5-lp152.2.16.1 libzypp-devel-doc-17.25.5-lp152.2.16.1 zypper-1.14.41-lp152.2.12.1 zypper-debuginfo-1.14.41-lp152.2.12.1 zypper-debugsource-1.14.41-lp152.2.12.1 - openSUSE Leap 15.2 (noarch): yast2-installation-4.2.48-lp152.2.12.1 zypper-aptitude-1.14.41-lp152.2.12.1 zypper-log-1.14.41-lp152.2.12.1 zypper-needs-restarting-1.14.41-lp152.2.12.1 References: https://www.suse.com/security/cve/CVE-2017-9271.html https://bugzilla.suse.com/1050625 https://bugzilla.suse.com/1174016 https://bugzilla.suse.com/1177238 https://bugzilla.suse.com/1177275 https://bugzilla.suse.com/1177427 https://bugzilla.suse.com/1177583 https://bugzilla.suse.com/1178910 https://bugzilla.suse.com/1178966 https://bugzilla.suse.com/1179083 https://bugzilla.suse.com/1179222 https://bugzilla.suse.com/1179415 https://bugzilla.suse.com/1179909