openSUSE Security Update: Security update for libdnf ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:2685-1 Rating: moderate References: #1183779 Cross-References: CVE-2021-20271 CVE-2021-3421 CVE-2021-3445 CVSS scores: CVE-2021-20271 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-20271 (SUSE): 3.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L CVE-2021-3421 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-3421 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2021-3445 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-3445 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for libdnf fixes the following issues: - Fixed crash when loading DVD repositories Update to 0.62.0 + Change order of TransactionItemReason (rh#1921063) + Add two new comperators for security filters (rh#1918475) + Apply security filters for candidates with lower priority + Fix: Goal - translation of messages in global maps + Enhance description of modular solvables + Improve performance for module query + Change mechanism of modular errata applicability (rh#1804234) + dnf_transaction_commit(): Remove second call to rpmtsSetVSFlags + Fix a couple of memory leaks + Fix: Setting of librepo handle in newHandle function + Remove failsafe data when module is not enabled (rh#1847035) + Expose librepo's checksum functions via SWIG + Fix: Mising check of "hy_split_nevra()" return code + Do not allow 1 as installonly_limit value (rh#1926261) + Fix check whether the subkey can be used for signing + Hardening: add signature check with rpmcliVerifySignatures (CVE-2021-3445, CVE-2021-3421, CVE-2021-20271, rh#1932079, rh#1932089, rh#1932090, bsc#1183779) + Add a config option sslverifystatus, defaults to false (rh#1814383) + [context] Add API for distro-sync - Fix dependency for repo-config-zypp subpackage to work with SLE Update to 0.60.0 + Fix repo.fresh() implementation + Fix: Fully set ssl in newHandle function + [conf] Add options for working with certificates used with proxy + Apply proxy certificate options + lock: Switch return-if-fail to assert to quiet gcc -fanalyzer + build-sys: Clean up message about Python bindings + Modify module NSVCA parsing - context definition (rh#1926771) + [context] Fix: dnf_package_is_installonly (rh#1928056) + Fix problematic language + Add getApplicablePackages to advisory and isApplicable to advisorymodule + Keep isAdvisoryApplicable to preserve API + Run ModulePackageContainerTest tests in tmpdir, merge interdependent + [context] Support config file option "proxy_auth_method", defaults "any" + Properly handle multiple collections in updateinfo.xml (rh#1804234) + Support main config file option "installonlypkgs" + Support main config file option "protected_packages" - Add repo-config-zypp subpackage to allow easily using Zypper repository configuration - Backport support for using certificates for repository authorization - Backport another fix for adding controls to installonlypkgs - Add patch to move directory for dnf state data to /usr/lib/sysimage - Backport fixes to add controls for installonlypkgs and protected_packages Update to version 0.58.0 + Option: Add reset() method + Add OptionBinds::getOption() method + [context] Add dnf_repo_conf_from_gkeyfile() and dnf_repo_conf_reset() + [context] Add support for options: minrate, throttle, bandwidth, timeout + [context] Remove g_key_file_get_string() from dnf_repo_set_keyfile_data() + Allow loading ext metadata even if only cache (solv) is present + Add ASAN_OPTIONS for test_libdnf_main + [context,API] Functions for accessing main/global configuration options + [context,API] Function for adding setopt + Add getter for modular obsoletes from ModuleMetadata + Add ModulePackage.getStaticContext() and getRequires() + Add compatible layer for MdDocuments v2 + Fix modular queries with the new solver + Improve formatting of error string for modules + Change mechanism of module conflicts + Fix load/update FailSafe Update to version 0.55.2 + Improve performance of query installed() and available() + Swdb: Add a method to get the current transaction + [modules] Add special handling for src artifacts (rh#1809314) + Better msgs if "basecachedir" or "proxy_password" isn't set (rh#1888946) + Add new options module_stream_switch + Support allow_vendor_change setting in dnf context API Update to version 0.55.0 + Add vendor to dnf API (rh#1876561) + Add formatting function for solver error + Add error types in ModulePackageContainer + Implement module enable for context part + Improve string formatting for translation + Remove redundant printf and change logging info to notice (rh#1827424) + Add allow_vendor_change option (rh#1788371) (rh#1788371) Update to version 0.54.2 + history: Fix dnf history rollback when a package was removed (rh#1683134) + Add support for HY_GT, HY_LT in query nevra_strict + Fix parsing empty lines in config files + Accept '==' as an operator in reldeps (rh#1847946) + Add log file level main config option (rh#1802074) + Add protect_running_kernel configuration option (rh#1698145) + Context part of libdnf cannot assume zchunk is on (rh#1851841, rh#1779104) + Fix memory leak of resultingModuleIndex and handle g_object refs + Redirect librepo logs to libdnf logs with different source + Add hy_goal_lock + Enum/String conversions for Transaction Store/Replay + utils: Add a method to decode URLs + Unify hawkey.log line format with the rest of the logs Update to version 0.48.0 + Add prereq_ignoreinst & regular_requires properties for pkg (rh#1543449) + Reset active modules when no module enabled or default (rh#1767351) + Add comment option to transaction (rh#1773679) + Failing to get module defauls is a recoverable error + Baseurl is not exclusive with mirrorlist/metalink (rh#1775184) + Add new function to reset all modules in C API (dnf_context_reset_all_modules) + [context] Fix to preserve additionalMetadata content (rh#1808677) + Fix filtering of DepSolvables with source rpms (rh#1812596) + Add setter for running kernel protection setting + Handle situation when an unprivileged user cannot create history database (rh#1634385) + Add query filter: latest by priority + Add DNF_NO_PROTECTED flag to allow empty list of protected packages + Remove 'dim' option from terminal colors to make them more readable (rh#1807774, rh#1814563) + [context] Error when main config file can't be opened (rh#1794864) + [context] Add function function dnf_context_is_set_config_file_path + swdb: Catch only SQLite3 exceptions and simplify the messages + MergedTransaction list multiple comments (rh#1773679) + Modify CMake to pull *.po files from weblate + Optimize DependencyContainer creation from an existing queue + fix a memory leak in dnf_package_get_requires() + Fix memory leaks on g_build_filename() + Fix memory leak in dnf_context_setup() + Add `hy_goal_favor` and `hy_goal_disfavor` + Define a cleanup function for `DnfPackageSet` + dnf-repo: fix dnf_repo_get_public_keys double-free + Do not cache RPMDB + Use single-quotes around string literals used in SQL statements + SQLite3: Do not close the database if it wasn't opened (rh#1761976) + Don't create a new history DB connection for in-memory DB + transaction/Swdb: Use a single logger variable in constructor + utils: Add a safe version of pathExists() + swdb: Handle the case when pathExists() fails on e.g. permission + Repo: prepend "file://" if a local path is used as baseurl + Move urlEncode() to utils + utils: Add 'exclude' argument to urlEncode() + Encode package URL for downloading through librepo (rh#1817130) + Replace std::runtime_error with libdnf::RepoError + Fixes and error handling improvements of the File class + [context] Use ConfigRepo for gpgkey and baseurl (rh#1807864) + [context] support "priority" option in .repo config file (rh#1797265) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2021-2685=1 Package List: - openSUSE Leap 15.3 (aarch64 i586 ppc64le s390x x86_64): libdnf-debuginfo-0.62.0-5.3.1 libdnf-debugsource-0.62.0-5.3.1 libdnf-devel-0.62.0-5.3.1 libdnf-repo-config-zypp-0.62.0-5.3.1 libdnf2-0.62.0-5.3.1 libdnf2-debuginfo-0.62.0-5.3.1 python3-hawkey-0.62.0-5.3.1 python3-hawkey-debuginfo-0.62.0-5.3.1 python3-libdnf-0.62.0-5.3.1 python3-libdnf-debuginfo-0.62.0-5.3.1 - openSUSE Leap 15.3 (noarch): hawkey-man-0.62.0-5.3.1 References: https://www.suse.com/security/cve/CVE-2021-20271.html https://www.suse.com/security/cve/CVE-2021-3421.html https://www.suse.com/security/cve/CVE-2021-3445.html https://bugzilla.suse.com/1183779