Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.2576.2
Security update for libzypp, zypper
12 September 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libzypp
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-7685 CVE-2017-9269 CVE-2017-7436
CVE-2017-7435
Reference: ESB-2017.2145
ESB-2017.1928
Original Bulletin:
https://www.suse.com/support/update/announcement/2018/suse-su-20182555-1/
https://www.suse.com/support/update/announcement/2018/suse-su-20182688-1/
https://www.suse.com/support/update/announcement/2018/suse-su-20182690-1/
Comment: This bulletin contains three (3) SUSE security advisories.
Revision History: September 12 2018: Added additional bulletins
August 31 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:2555-1
Rating: important
References: #1037210 #1038984 #1045735 #1048315 #1054088
#1070851 #1076192 #1088705 #1091624 #1092413
#1096803 #1100028 #1101349 #1102429
Cross-References: CVE-2017-7435 CVE-2017-7436 CVE-2017-9269
CVE-2018-7685
Affected Products:
SUSE Linux Enterprise Server for SAP 12-SP1
SUSE Linux Enterprise Server 12-SP1-LTSS
______________________________________________________________________________
An update that solves four vulnerabilities and has 10 fixes
is now available.
Description:
This update for libzypp, zypper provides the following fixes:
libzypp security fixes:
- CVE-2018-7685: Validate RPMs before caching (bsc#1091624, bsc#1088705)
- CVE-2017-9269: Be sure bad packages do not stay in the cache
(bsc#1045735)
- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix repo gpg check
workflows, mainly for unsigned repos and packages (bsc#1045735,
bsc#1038984)
libzypp changes:
- RepoManager: Explicitly request repo2solv to generate application pseudo
packages.
- Prefer calling "repo2solv" rather than "repo2solv.sh".
- libzypp-devel should not require cmake. (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having been
loaded. (bsc#1096803)
- Avoid zombie tar processes. (bsc#1076192)
- man: Make sure that '--config FILE' affects zypper.conf, not zypp.conf.
(bsc#1100028)
- ansi.h: Prevent ESC sequence strings from going out of scope.
(bsc#1092413)
- RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling
(bsc#1045735)
- repo refresh: Re-probe if the repository type changes (bsc#1048315)
- Use common workflow for downloading packages and srcpackages. This
includes a common way of handling and reporting gpg signature and
checks. (bsc#1037210)
- PackageProvider: as well support downloading SrcPackage (for bsc#1037210)
- Adapt to work with GnuPG 2.1.23 (bsc#1054088) Use 'gpg --list-packets'
to determine the keyid to verify a signature.
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
zypper security fixes:
- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings
(bsc#1045735, CVE-2017-9269)
- Adapt download callback to report and handle unsigned packages
(bsc#1038984, CVE-2017-7436)
zypper changes:
- download: fix crash when non-package types are passed as argument
(bsc#1037210)
- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server for SAP 12-SP1:
zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1792=1
- SUSE Linux Enterprise Server 12-SP1-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1792=1
Package List:
- SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):
libzypp-15.25.17-46.22.1
libzypp-debuginfo-15.25.17-46.22.1
libzypp-debugsource-15.25.17-46.22.1
zypper-1.12.59-46.10.1
zypper-debuginfo-1.12.59-46.10.1
zypper-debugsource-1.12.59-46.10.1
- SUSE Linux Enterprise Server for SAP 12-SP1 (noarch):
zypper-log-1.12.59-46.10.1
- SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):
libzypp-15.25.17-46.22.1
libzypp-debuginfo-15.25.17-46.22.1
libzypp-debugsource-15.25.17-46.22.1
zypper-1.12.59-46.10.1
zypper-debuginfo-1.12.59-46.10.1
zypper-debugsource-1.12.59-46.10.1
- SUSE Linux Enterprise Server 12-SP1-LTSS (noarch):
zypper-log-1.12.59-46.10.1
References:
https://www.suse.com/security/cve/CVE-2017-7435.html
https://www.suse.com/security/cve/CVE-2017-7436.html
https://www.suse.com/security/cve/CVE-2017-9269.html
https://www.suse.com/security/cve/CVE-2018-7685.html
https://bugzilla.suse.com/1037210
https://bugzilla.suse.com/1038984
https://bugzilla.suse.com/1045735
https://bugzilla.suse.com/1048315
https://bugzilla.suse.com/1054088
https://bugzilla.suse.com/1070851
https://bugzilla.suse.com/1076192
https://bugzilla.suse.com/1088705
https://bugzilla.suse.com/1091624
https://bugzilla.suse.com/1092413
https://bugzilla.suse.com/1096803
https://bugzilla.suse.com/1100028
https://bugzilla.suse.com/1101349
https://bugzilla.suse.com/1102429
- -------------------------------------------------------------------------------
SUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:2688-1
Rating: important
References: #1036304 #1037210 #1038984 #1045735 #1048315
#1054088 #1070851 #1076192 #1079334 #1088705
#1091624 #1092413 #1096803 #1099847 #1100028
#1101349 #1102429
Cross-References: CVE-2017-7435 CVE-2017-7436 CVE-2017-9269
CVE-2018-7685
Affected Products:
SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________
An update that solves four vulnerabilities and has 13 fixes
is now available.
Description:
This update for libzypp, zypper fixes the following issues:
libzypp security fixes:
- PackageProvider: Validate delta rpms before caching (bsc#1091624,
bsc#1088705, CVE-2018-7685)
- PackageProvider: Validate downloaded rpm package signatures before
caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
- Be sure bad packages do not stay in the cache (bsc#1045735,
CVE-2017-9269)
- Fix repo gpg check workflows, mainly for unsigned repos and packages
(bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269)
libzypp other changes/bugs fixed:
- Update to version 14.45.17
- RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling
(bsc#1045735)
- repo refresh: Re-probe if the repository type changes (bsc#1048315)
- Use common workflow for downloading packages and srcpackages. This
includes a common way of handling and reporting gpg signature and
checks. (bsc#1037210)
- PackageProvider: as well support downloading SrcPackage (for bsc#1037210)
- Adapt to work with GnuPG 2.1.23 (bsc#1054088)
- repo refresh: Re-probe if the repository type changes (bsc#1048315)
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- RepoManager: Explicitly request repo2solv to generate application pseudo
packages.
- Prefer calling "repo2solv" rather than "repo2solv.sh"
- libzypp-devel should not require cmake (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having been
been loaded (bsc#1096803)
- Avoid zombie tar processes (bsc#1076192)
- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
zypper security fixes:
- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings
(bsc#1045735, CVE-2017-9269)
- Adapt download callback to report and handle unsigned packages
(bsc#1038984, CVE-2017-7436)
zypper other changes/bugs fixed:
- Update to version 1.11.70
- Bugfix: Prevent ESC sequence strings from going out of scope
(bsc#1092413)
- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf
(bsc#1100028)
- ansi.h: Prevent ESC sequence strings from going out of scope
(bsc#1092413)
- do not recommend cron (bsc#1079334)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 12-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-2018-1879=1
Package List:
- SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):
libzypp-14.45.17-2.82.1
libzypp-debuginfo-14.45.17-2.82.1
libzypp-debugsource-14.45.17-2.82.1
zypper-1.11.70-2.69.2
zypper-debuginfo-1.11.70-2.69.2
zypper-debugsource-1.11.70-2.69.2
- SUSE Linux Enterprise Server 12-LTSS (noarch):
zypper-log-1.11.70-2.69.2
References:
https://www.suse.com/security/cve/CVE-2017-7435.html
https://www.suse.com/security/cve/CVE-2017-7436.html
https://www.suse.com/security/cve/CVE-2017-9269.html
https://www.suse.com/security/cve/CVE-2018-7685.html
https://bugzilla.suse.com/1036304
https://bugzilla.suse.com/1037210
https://bugzilla.suse.com/1038984
https://bugzilla.suse.com/1045735
https://bugzilla.suse.com/1048315
https://bugzilla.suse.com/1054088
https://bugzilla.suse.com/1070851
https://bugzilla.suse.com/1076192
https://bugzilla.suse.com/1079334
https://bugzilla.suse.com/1088705
https://bugzilla.suse.com/1091624
https://bugzilla.suse.com/1092413
https://bugzilla.suse.com/1096803
https://bugzilla.suse.com/1099847
https://bugzilla.suse.com/1100028
https://bugzilla.suse.com/1101349
https://bugzilla.suse.com/1102429
- -------------------------------------------------------------------------------
SUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:2690-1
Rating: important
References: #1036304 #1041178 #1043166 #1045735 #1058515
#1066215 #1070770 #1070851 #1082318 #1084525
#1088037 #1088705 #1091624 #1092413 #1093103
#1096217 #1096617 #1096803 #1099847 #1100028
#1100095 #1100427 #1101349 #1102019 #1102429
#408814 #428822 #907538
Cross-References: CVE-2017-9269 CVE-2018-7685
Affected Products:
SUSE Linux Enterprise Module for Development Tools 15
SUSE Linux Enterprise Module for Basesystem 15
______________________________________________________________________________
An update that solves two vulnerabilities and has 26 fixes
is now available.
Description:
This update for libzypp, zypper, libsolv provides the following fixes:
Security fixes in libzypp:
- CVE-2018-7685: PackageProvider: Validate RPMs before caching
(bsc#1091624, bsc#1088705)
- CVE-2017-9269: Be sure bad packages do not stay in the cache
(bsc#1045735)
Changes in libzypp:
- Update to version 17.6.4
- Automatically fetch repository signing key from gpgkey url (bsc#1088037)
- lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
- Check for not imported keys after multi key import from rpmdb
(bsc#1096217)
- Flags: make it std=c++14 ready
- Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
- Show GPGME version in log
- Adapt to changes in libgpgme11-11.1.0 breaking the signature
verification (bsc#1100427)
- RepoInfo::provideKey: add report telling where we look for missing keys.
- Support listing gpgkey URLs in repo files (bsc#1088037)
- Add new report to request user approval for importing a package key
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- Add filesize check for downloads with known size (bsc#408814)
- Removed superfluous space in translation (bsc#1102019)
- Prevent the system from sleeping during a commit
- RepoManager: Explicitly request repo2solv to generate application pseudo
packages.
- libzypp-devel should not require cmake (bsc#1101349)
- Avoid zombies from ExternalProgram
- Update ApiConfig
- HardLocksFile: Prevent against empty commit without Target having been
been loaded (bsc#1096803)
- lsof: use '-K i' if lsof supports it (bsc#1099847)
- Add filesize check for downloads with known size (bsc#408814)
- Fix detection of metalink downloads and prevent aborting if a metalink
file is larger than the expected data file.
- Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
- Make use of %license macro (bsc#1082318)
Security fix in zypper:
- CVE-2017-9269: Improve signature check callback messages (bsc#1045735)
Changes in zypper:
- Always set error status if any nr of unknown repositories are passed to
lr and ref (bsc#1093103)
- Notify user about unsupported rpm V3 keys in an old rpm database
(bsc#1096217)
- Detect read only filesystem on system modifying operations (fixes #199)
- Use %license (bsc#1082318)
- Handle repo aliases containing multiple ':' in the PackageArgs parser
(bsc #1041178)
- Fix broken display of detailed query results.
- Fix broken search for items with a dash. (bsc#907538, bsc#1043166,
bsc#1070770)
- Disable repository operations when searching installed packages.
(bsc#1084525)
- Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope.
(bsc#1092413)
- Fix some translation errors.
- Support listing gpgkey URLs in repo files (bsc#1088037)
- Check for root privileges in zypper verify and si (bsc#1058515)
- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
- Add expert (allow-*) options to all installer commands (bsc#428822)
- Sort search results by multiple columns (bsc#1066215)
- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf
(bsc#1100028)
- Set error status if repositories passed to lr and ref are not known
(bsc#1093103)
- Do not override table style in search
- Fix out of bound read in MbsIterator
- Add --supplements switch to search and info
- Add setter functions for zypp cache related config values to ZConfig
Changes in libsolv:
- convert repo2solv.sh script into a binary tool
- Make use of %license macro (bsc#1082318)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Development Tools 15:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1883=1
- SUSE Linux Enterprise Module for Basesystem 15:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1883=1
Package List:
- SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le
s390x x86_64):
libsolv-debuginfo-0.6.35-3.5.2
libsolv-debugsource-0.6.35-3.5.2
perl-solv-0.6.35-3.5.2
perl-solv-debuginfo-0.6.35-3.5.2
python3-solv-0.6.35-3.5.2
python3-solv-debuginfo-0.6.35-3.5.2
ruby-solv-0.6.35-3.5.2
ruby-solv-debuginfo-0.6.35-3.5.2
- SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x
x86_64):
libsolv-debuginfo-0.6.35-3.5.2
libsolv-debugsource-0.6.35-3.5.2
libsolv-devel-0.6.35-3.5.2
libsolv-devel-debuginfo-0.6.35-3.5.2
libsolv-tools-0.6.35-3.5.2
libsolv-tools-debuginfo-0.6.35-3.5.2
libzypp-17.6.4-3.10.1
libzypp-debuginfo-17.6.4-3.10.1
libzypp-debugsource-17.6.4-3.10.1
libzypp-devel-17.6.4-3.10.1
python-solv-0.6.35-3.5.2
python-solv-debuginfo-0.6.35-3.5.2
zypper-1.14.10-3.7.1
zypper-debuginfo-1.14.10-3.7.1
zypper-debugsource-1.14.10-3.7.1
- SUSE Linux Enterprise Module for Basesystem 15 (noarch):
zypper-log-1.14.10-3.7.1
References:
https://www.suse.com/security/cve/CVE-2017-9269.html
https://www.suse.com/security/cve/CVE-2018-7685.html
https://bugzilla.suse.com/1036304
https://bugzilla.suse.com/1041178
https://bugzilla.suse.com/1043166
https://bugzilla.suse.com/1045735
https://bugzilla.suse.com/1058515
https://bugzilla.suse.com/1066215
https://bugzilla.suse.com/1070770
https://bugzilla.suse.com/1070851
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1084525
https://bugzilla.suse.com/1088037
https://bugzilla.suse.com/1088705
https://bugzilla.suse.com/1091624
https://bugzilla.suse.com/1092413
https://bugzilla.suse.com/1093103
https://bugzilla.suse.com/1096217
https://bugzilla.suse.com/1096617
https://bugzilla.suse.com/1096803
https://bugzilla.suse.com/1099847
https://bugzilla.suse.com/1100028
https://bugzilla.suse.com/1100095
https://bugzilla.suse.com/1100427
https://bugzilla.suse.com/1101349
https://bugzilla.suse.com/1102019
https://bugzilla.suse.com/1102429
https://bugzilla.suse.com/408814
https://bugzilla.suse.com/428822
https://bugzilla.suse.com/907538
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW5inIGaOgq3Tt24GAQjxZg//YuX8oW3faibDnioXkU91QvlNS8RIUDeH
uEQoXarYV7rPa0qcRplPF9aUNho98FfdMNgvuwsZjZuupOVeyFFDrJHV6Dqxeirz
uz5i9xKBWQk1o2lwwxjWTXvQHxGP8rv1Xjdfx9Efiqp7StzX0npZHRmRaBqcNew/
tJapb9qJQ4stGlM32bmWUDpwN28dDFuVPGD5pIzvG6z3t812iiJsacWy0BR8fxbB
6f2LXqmJgKBbKJwm2ceHGl70eOujYy4Dv5dA96CZFyLhsL3ElNYKVHtKhGAZWMzI
fo+LdPuxe1uLDQZkNnPdd3L3yg5fzrsG1actom/L+FuyoLuHoVCEmnOaqsPWLDqB
9HaG4AON9avcuXQ0j2RX7JiS5qRFQLhvnqUqJZ5cAA0ItZZxnb4auYYAmmfGu9KS
DE39/0PTPL9045O+eR1d+VD/wOhiaoNoGC6j+fs3D2v6Sc6gXXy637NOrHwOsVBW
zNuE77FBcZOmHlF14CBi6qziidGJLq6uDKrystXyzPBcgVVlD7ziBckuVk5VQXNp
q695z//PUQoLIRVB1Ex+F5ciiF2zxDNIa5bdi8GSJNlWitRZozCZZ6zxwHrNCWsL
qzq/i4kHaXFRo14nflzXgXm9miwYol4IYOLQ/MAuYf6Xit4rJBvURQ8Du/WgFVkv
sltQBXz+djg=
=0xy9
-----END PGP SIGNATURE-----