openSUSE Recommended Update: Recommended update for libzypp, zypper, libsolv and PackageKit ______________________________________________________________________________ Announcement ID: openSUSE-RU-2019:2391-1 Rating: important References: #1049825 #1116995 #1120629 #1120630 #1120631 #1127155 #1127608 #1130306 #1131113 #1131823 #1134226 #1135749 #1137977 #1139795 #1140039 #1145521 #1146027 #1146415 #1146947 #1153557 #859480 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that solves three vulnerabilities and has 18 fixes is now available. Description: This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). This update was imported from the SUSE:SLE-15-SP1:Update update project. Patch Instructions: To install this openSUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2019-2391=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): PackageKit-1.1.10-lp151.8.6.1 PackageKit-backend-zypp-1.1.10-lp151.8.6.1 PackageKit-backend-zypp-debuginfo-1.1.10-lp151.8.6.1 PackageKit-debuginfo-1.1.10-lp151.8.6.1 PackageKit-debugsource-1.1.10-lp151.8.6.1 PackageKit-devel-1.1.10-lp151.8.6.1 PackageKit-devel-debuginfo-1.1.10-lp151.8.6.1 PackageKit-gstreamer-plugin-1.1.10-lp151.8.6.1 PackageKit-gstreamer-plugin-debuginfo-1.1.10-lp151.8.6.1 PackageKit-gtk3-module-1.1.10-lp151.8.6.1 PackageKit-gtk3-module-debuginfo-1.1.10-lp151.8.6.1 libpackagekit-glib2-18-1.1.10-lp151.8.6.1 libpackagekit-glib2-18-debuginfo-1.1.10-lp151.8.6.1 libpackagekit-glib2-devel-1.1.10-lp151.8.6.1 libsolv-debuginfo-0.7.6-lp151.2.3.2 libsolv-debugsource-0.7.6-lp151.2.3.2 libsolv-demo-0.7.6-lp151.2.3.2 libsolv-demo-debuginfo-0.7.6-lp151.2.3.2 libsolv-devel-0.7.6-lp151.2.3.2 libsolv-devel-debuginfo-0.7.6-lp151.2.3.2 libsolv-tools-0.7.6-lp151.2.3.2 libsolv-tools-debuginfo-0.7.6-lp151.2.3.2 libyui-ncurses-pkg-debugsource-2.48.9-lp151.2.3.1 libyui-ncurses-pkg-devel-2.48.9-lp151.2.3.1 libyui-ncurses-pkg9-2.48.9-lp151.2.3.1 libyui-ncurses-pkg9-debuginfo-2.48.9-lp151.2.3.1 libyui-qt-pkg-debugsource-2.45.27-lp151.2.3.1 libyui-qt-pkg-devel-2.45.27-lp151.2.3.1 libyui-qt-pkg9-2.45.27-lp151.2.3.1 libyui-qt-pkg9-debuginfo-2.45.27-lp151.2.3.1 libzypp-17.15.0-lp151.2.3.2 libzypp-debuginfo-17.15.0-lp151.2.3.2 libzypp-debugsource-17.15.0-lp151.2.3.2 libzypp-devel-17.15.0-lp151.2.3.2 libzypp-devel-doc-17.15.0-lp151.2.3.2 perl-solv-0.7.6-lp151.2.3.2 perl-solv-debuginfo-0.7.6-lp151.2.3.2 python-solv-0.7.6-lp151.2.3.2 python-solv-debuginfo-0.7.6-lp151.2.3.2 python3-solv-0.7.6-lp151.2.3.2 python3-solv-debuginfo-0.7.6-lp151.2.3.2 ruby-solv-0.7.6-lp151.2.3.2 ruby-solv-debuginfo-0.7.6-lp151.2.3.2 typelib-1_0-PackageKitGlib-1_0-1.1.10-lp151.8.6.1 yast2-pkg-bindings-4.1.2-lp151.2.3.1 yast2-pkg-bindings-debuginfo-4.1.2-lp151.2.3.1 yast2-pkg-bindings-debugsource-4.1.2-lp151.2.3.1 zypper-1.14.30-lp151.2.3.1 zypper-debuginfo-1.14.30-lp151.2.3.1 zypper-debugsource-1.14.30-lp151.2.3.1 - openSUSE Leap 15.1 (x86_64): libpackagekit-glib2-18-32bit-1.1.10-lp151.8.6.1 libpackagekit-glib2-18-32bit-debuginfo-1.1.10-lp151.8.6.1 libpackagekit-glib2-devel-32bit-1.1.10-lp151.8.6.1 - openSUSE Leap 15.1 (noarch): PackageKit-branding-upstream-1.1.10-lp151.8.6.1 PackageKit-lang-1.1.10-lp151.8.6.1 libyui-ncurses-pkg-doc-2.48.9-lp151.2.3.1 libyui-qt-pkg-doc-2.45.27-lp151.2.3.1 yast2-pkg-bindings-devel-doc-4.1.2-lp151.2.3.1 zypper-aptitude-1.14.30-lp151.2.3.1 zypper-log-1.14.30-lp151.2.3.1 zypper-needs-restarting-1.14.30-lp151.2.3.1 References: https://www.suse.com/security/cve/CVE-2018-20532.html https://www.suse.com/security/cve/CVE-2018-20533.html https://www.suse.com/security/cve/CVE-2018-20534.html https://bugzilla.suse.com/1049825 https://bugzilla.suse.com/1116995 https://bugzilla.suse.com/1120629 https://bugzilla.suse.com/1120630 https://bugzilla.suse.com/1120631 https://bugzilla.suse.com/1127155 https://bugzilla.suse.com/1127608 https://bugzilla.suse.com/1130306 https://bugzilla.suse.com/1131113 https://bugzilla.suse.com/1131823 https://bugzilla.suse.com/1134226 https://bugzilla.suse.com/1135749 https://bugzilla.suse.com/1137977 https://bugzilla.suse.com/1139795 https://bugzilla.suse.com/1140039 https://bugzilla.suse.com/1145521 https://bugzilla.suse.com/1146027 https://bugzilla.suse.com/1146415 https://bugzilla.suse.com/1146947 https://bugzilla.suse.com/1153557 https://bugzilla.suse.com/859480