Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2576.2 Security update for libzypp, zypper 12 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libzypp Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-7685 CVE-2017-9269 CVE-2017-7436 CVE-2017-7435 Reference: ESB-2017.2145 ESB-2017.1928 Original Bulletin: https://www.suse.com/support/update/announcement/2018/suse-su-20182555-1/ https://www.suse.com/support/update/announcement/2018/suse-su-20182688-1/ https://www.suse.com/support/update/announcement/2018/suse-su-20182690-1/ Comment: This bulletin contains three (3) SUSE security advisories. Revision History: September 12 2018: Added additional bulletins August 31 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2555-1 Rating: important References: #1037210 #1038984 #1045735 #1048315 #1054088 #1070851 #1076192 #1088705 #1091624 #1092413 #1096803 #1100028 #1101349 #1102429 Cross-References: CVE-2017-7435 CVE-2017-7436 CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has 10 fixes is now available. Description: This update for libzypp, zypper provides the following fixes: libzypp security fixes: - CVE-2018-7685: Validate RPMs before caching (bsc#1091624, bsc#1088705) - CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735) - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix repo gpg check workflows, mainly for unsigned repos and packages (bsc#1045735, bsc#1038984) libzypp changes: - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - Prefer calling "repo2solv" rather than "repo2solv.sh". - libzypp-devel should not require cmake. (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been loaded. (bsc#1096803) - Avoid zombie tar processes. (bsc#1076192) - man: Make sure that '--config FILE' affects zypper.conf, not zypp.conf. (bsc#1100028) - ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413) - RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735) - repo refresh: Re-probe if the repository type changes (bsc#1048315) - Use common workflow for downloading packages and srcpackages. This includes a common way of handling and reporting gpg signature and checks. (bsc#1037210) - PackageProvider: as well support downloading SrcPackage (for bsc#1037210) - Adapt to work with GnuPG 2.1.23 (bsc#1054088) Use 'gpg --list-packets' to determine the keyid to verify a signature. - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) zypper security fixes: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) - Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436) zypper changes: - download: fix crash when non-package types are passed as argument (bsc#1037210) - XML <install-summary> attribute `packages-to-change` added (bsc#1102429) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1792=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1792=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64): libzypp-15.25.17-46.22.1 libzypp-debuginfo-15.25.17-46.22.1 libzypp-debugsource-15.25.17-46.22.1 zypper-1.12.59-46.10.1 zypper-debuginfo-1.12.59-46.10.1 zypper-debugsource-1.12.59-46.10.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): zypper-log-1.12.59-46.10.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libzypp-15.25.17-46.22.1 libzypp-debuginfo-15.25.17-46.22.1 libzypp-debugsource-15.25.17-46.22.1 zypper-1.12.59-46.10.1 zypper-debuginfo-1.12.59-46.10.1 zypper-debugsource-1.12.59-46.10.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): zypper-log-1.12.59-46.10.1 References: https://www.suse.com/security/cve/CVE-2017-7435.html https://www.suse.com/security/cve/CVE-2017-7436.html https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1037210 https://bugzilla.suse.com/1038984 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1048315 https://bugzilla.suse.com/1054088 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1076192 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102429 - ------------------------------------------------------------------------------- SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2688-1 Rating: important References: #1036304 #1037210 #1038984 #1045735 #1048315 #1054088 #1070851 #1076192 #1079334 #1088705 #1091624 #1092413 #1096803 #1099847 #1100028 #1101349 #1102429 Cross-References: CVE-2017-7435 CVE-2017-7436 CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that solves four vulnerabilities and has 13 fixes is now available. Description: This update for libzypp, zypper fixes the following issues: libzypp security fixes: - PackageProvider: Validate delta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - Be sure bad packages do not stay in the cache (bsc#1045735, CVE-2017-9269) - Fix repo gpg check workflows, mainly for unsigned repos and packages (bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269) libzypp other changes/bugs fixed: - Update to version 14.45.17 - RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735) - repo refresh: Re-probe if the repository type changes (bsc#1048315) - Use common workflow for downloading packages and srcpackages. This includes a common way of handling and reporting gpg signature and checks. (bsc#1037210) - PackageProvider: as well support downloading SrcPackage (for bsc#1037210) - Adapt to work with GnuPG 2.1.23 (bsc#1054088) - repo refresh: Re-probe if the repository type changes (bsc#1048315) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - Prefer calling "repo2solv" rather than "repo2solv.sh" - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) zypper security fixes: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) - Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436) zypper other changes/bugs fixed: - Update to version 1.11.70 - Bugfix: Prevent ESC sequence strings from going out of scope (bsc#1092413) - XML <install-summary> attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - do not recommend cron (bsc#1079334) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2018-1879=1 Package List: - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): libzypp-14.45.17-2.82.1 libzypp-debuginfo-14.45.17-2.82.1 libzypp-debugsource-14.45.17-2.82.1 zypper-1.11.70-2.69.2 zypper-debuginfo-1.11.70-2.69.2 zypper-debugsource-1.11.70-2.69.2 - SUSE Linux Enterprise Server 12-LTSS (noarch): zypper-log-1.11.70-2.69.2 References: https://www.suse.com/security/cve/CVE-2017-7435.html https://www.suse.com/security/cve/CVE-2017-7436.html https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1037210 https://bugzilla.suse.com/1038984 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1048315 https://bugzilla.suse.com/1054088 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1076192 https://bugzilla.suse.com/1079334 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102429 - ------------------------------------------------------------------------------- SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2690-1 Rating: important References: #1036304 #1041178 #1043166 #1045735 #1058515 #1066215 #1070770 #1070851 #1082318 #1084525 #1088037 #1088705 #1091624 #1092413 #1093103 #1096217 #1096617 #1096803 #1099847 #1100028 #1100095 #1100427 #1101349 #1102019 #1102429 #408814 #428822 #907538 Cross-References: CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has 26 fixes is now available. Description: This update for libzypp, zypper, libsolv provides the following fixes: Security fixes in libzypp: - CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705) - CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735) Changes in libzypp: - Update to version 17.6.4 - Automatically fetch repository signing key from gpgkey url (bsc#1088037) - lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304) - Check for not imported keys after multi key import from rpmdb (bsc#1096217) - Flags: make it std=c++14 ready - Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617) - Show GPGME version in log - Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427) - RepoInfo::provideKey: add report telling where we look for missing keys. - Support listing gpgkey URLs in repo files (bsc#1088037) - Add new report to request user approval for importing a package key - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - Add filesize check for downloads with known size (bsc#408814) - Removed superfluous space in translation (bsc#1102019) - Prevent the system from sleeping during a commit - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - Avoid zombies from ExternalProgram - Update ApiConfig - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - lsof: use '-K i' if lsof supports it (bsc#1099847) - Add filesize check for downloads with known size (bsc#408814) - Fix detection of metalink downloads and prevent aborting if a metalink file is larger than the expected data file. - Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095) - Make use of %license macro (bsc#1082318) Security fix in zypper: - CVE-2017-9269: Improve signature check callback messages (bsc#1045735) Changes in zypper: - Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103) - Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217) - Detect read only filesystem on system modifying operations (fixes #199) - Use %license (bsc#1082318) - Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178) - Fix broken display of detailed query results. - Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770) - Disable repository operations when searching installed packages. (bsc#1084525) - Prevent nested calls to exit() if aborted by a signal. (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413) - Fix some translation errors. - Support listing gpgkey URLs in repo files (bsc#1088037) - Check for root privileges in zypper verify and si (bsc#1058515) - XML <install-summary> attribute `packages-to-change` added (bsc#1102429) - Add expert (allow-*) options to all installer commands (bsc#428822) - Sort search results by multiple columns (bsc#1066215) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Set error status if repositories passed to lr and ref are not known (bsc#1093103) - Do not override table style in search - Fix out of bound read in MbsIterator - Add --supplements switch to search and info - Add setter functions for zypp cache related config values to ZConfig Changes in libsolv: - convert repo2solv.sh script into a binary tool - Make use of %license macro (bsc#1082318) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1883=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1883=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.6.35-3.5.2 libsolv-debugsource-0.6.35-3.5.2 perl-solv-0.6.35-3.5.2 perl-solv-debuginfo-0.6.35-3.5.2 python3-solv-0.6.35-3.5.2 python3-solv-debuginfo-0.6.35-3.5.2 ruby-solv-0.6.35-3.5.2 ruby-solv-debuginfo-0.6.35-3.5.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.6.35-3.5.2 libsolv-debugsource-0.6.35-3.5.2 libsolv-devel-0.6.35-3.5.2 libsolv-devel-debuginfo-0.6.35-3.5.2 libsolv-tools-0.6.35-3.5.2 libsolv-tools-debuginfo-0.6.35-3.5.2 libzypp-17.6.4-3.10.1 libzypp-debuginfo-17.6.4-3.10.1 libzypp-debugsource-17.6.4-3.10.1 libzypp-devel-17.6.4-3.10.1 python-solv-0.6.35-3.5.2 python-solv-debuginfo-0.6.35-3.5.2 zypper-1.14.10-3.7.1 zypper-debuginfo-1.14.10-3.7.1 zypper-debugsource-1.14.10-3.7.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): zypper-log-1.14.10-3.7.1 References: https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1041178 https://bugzilla.suse.com/1043166 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1058515 https://bugzilla.suse.com/1066215 https://bugzilla.suse.com/1070770 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1084525 https://bugzilla.suse.com/1088037 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1093103 https://bugzilla.suse.com/1096217 https://bugzilla.suse.com/1096617 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1100095 https://bugzilla.suse.com/1100427 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102019 https://bugzilla.suse.com/1102429 https://bugzilla.suse.com/408814 https://bugzilla.suse.com/428822 https://bugzilla.suse.com/907538 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW5inIGaOgq3Tt24GAQjxZg//YuX8oW3faibDnioXkU91QvlNS8RIUDeH uEQoXarYV7rPa0qcRplPF9aUNho98FfdMNgvuwsZjZuupOVeyFFDrJHV6Dqxeirz uz5i9xKBWQk1o2lwwxjWTXvQHxGP8rv1Xjdfx9Efiqp7StzX0npZHRmRaBqcNew/ tJapb9qJQ4stGlM32bmWUDpwN28dDFuVPGD5pIzvG6z3t812iiJsacWy0BR8fxbB 6f2LXqmJgKBbKJwm2ceHGl70eOujYy4Dv5dA96CZFyLhsL3ElNYKVHtKhGAZWMzI fo+LdPuxe1uLDQZkNnPdd3L3yg5fzrsG1actom/L+FuyoLuHoVCEmnOaqsPWLDqB 9HaG4AON9avcuXQ0j2RX7JiS5qRFQLhvnqUqJZ5cAA0ItZZxnb4auYYAmmfGu9KS DE39/0PTPL9045O+eR1d+VD/wOhiaoNoGC6j+fs3D2v6Sc6gXXy637NOrHwOsVBW zNuE77FBcZOmHlF14CBi6qziidGJLq6uDKrystXyzPBcgVVlD7ziBckuVk5VQXNp q695z//PUQoLIRVB1Ex+F5ciiF2zxDNIa5bdi8GSJNlWitRZozCZZ6zxwHrNCWsL qzq/i4kHaXFRo14nflzXgXm9miwYol4IYOLQ/MAuYf6Xit4rJBvURQ8Du/WgFVkv sltQBXz+djg= =0xy9 -----END PGP SIGNATURE-----