ESB-2018.2576.2 - UPDATE [SUSE] libzypp: Multiple vulnerabilities 2018-09-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2576.2
                    Security update for libzypp, zypper
                             12 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libzypp
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7685 CVE-2017-9269 CVE-2017-7436
                   CVE-2017-7435  

Reference:         ESB-2017.2145
                   ESB-2017.1928

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20182555-1/
   https://www.suse.com/support/update/announcement/2018/suse-su-20182688-1/
   https://www.suse.com/support/update/announcement/2018/suse-su-20182690-1/

Comment: This bulletin contains three (3) SUSE security advisories.

Revision History:  September 12 2018: Added additional bulletins
                   August    31 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2555-1
Rating:             important
References:         #1037210 #1038984 #1045735 #1048315 #1054088
                    #1070851 #1076192 #1088705 #1091624 #1092413
                    #1096803 #1100028 #1101349 #1102429
Cross-References:   CVE-2017-7435 CVE-2017-7436 CVE-2017-9269
                    CVE-2018-7685
Affected Products:
                    SUSE Linux Enterprise Server for SAP 12-SP1
                    SUSE Linux Enterprise Server 12-SP1-LTSS
______________________________________________________________________________

   An update that solves four vulnerabilities and has 10 fixes
   is now available.

Description:

   This update for libzypp, zypper provides the following fixes:

   libzypp security fixes:

   - CVE-2018-7685: Validate RPMs before caching (bsc#1091624, bsc#1088705)
   - CVE-2017-9269: Be sure bad packages do not stay in the cache
     (bsc#1045735)
   - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix repo gpg check
     workflows, mainly for unsigned repos and packages (bsc#1045735,
     bsc#1038984)

   libzypp changes:

   - RepoManager: Explicitly request repo2solv to generate application pseudo
     packages.
   - Prefer calling "repo2solv" rather than "repo2solv.sh".
   - libzypp-devel should not require cmake. (bsc#1101349)
   - HardLocksFile: Prevent against empty commit without Target having been
     loaded. (bsc#1096803)
   - Avoid zombie tar processes. (bsc#1076192)
   - man: Make sure that '--config FILE' affects zypper.conf, not zypp.conf.
     (bsc#1100028)
   - ansi.h: Prevent ESC sequence strings from going out of scope.
     (bsc#1092413)
   - RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling
     (bsc#1045735)
   - repo refresh: Re-probe if the repository type changes (bsc#1048315)
   - Use common workflow for downloading packages and srcpackages. This
     includes a common way of handling and reporting gpg signature and
     checks. (bsc#1037210)
   - PackageProvider: as well support downloading SrcPackage (for bsc#1037210)
   - Adapt to work with GnuPG 2.1.23 (bsc#1054088) Use 'gpg --list-packets'
     to determine the keyid to verify a signature.
   - Handle http error 502 Bad Gateway in curl backend (bsc#1070851)

   zypper security fixes:

   - Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
   - add/modify repo: Add options to tune the GPG check settings
     (bsc#1045735, CVE-2017-9269)
   - Adapt download callback to report and handle unsigned packages
     (bsc#1038984, CVE-2017-7436)

   zypper changes:

   - download: fix crash when non-package types are passed as argument
     (bsc#1037210)
   - XML <install-summary> attribute `packages-to-change` added (bsc#1102429)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
   methods like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server for SAP 12-SP1:

      zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1792=1

   - SUSE Linux Enterprise Server 12-SP1-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1792=1


Package List:

   - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):

      libzypp-15.25.17-46.22.1
      libzypp-debuginfo-15.25.17-46.22.1
      libzypp-debugsource-15.25.17-46.22.1
      zypper-1.12.59-46.10.1
      zypper-debuginfo-1.12.59-46.10.1
      zypper-debugsource-1.12.59-46.10.1

   - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch):

      zypper-log-1.12.59-46.10.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):

      libzypp-15.25.17-46.22.1
      libzypp-debuginfo-15.25.17-46.22.1
      libzypp-debugsource-15.25.17-46.22.1
      zypper-1.12.59-46.10.1
      zypper-debuginfo-1.12.59-46.10.1
      zypper-debugsource-1.12.59-46.10.1

   - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch):

      zypper-log-1.12.59-46.10.1


References:

   https://www.suse.com/security/cve/CVE-2017-7435.html
   https://www.suse.com/security/cve/CVE-2017-7436.html
   https://www.suse.com/security/cve/CVE-2017-9269.html
   https://www.suse.com/security/cve/CVE-2018-7685.html
   https://bugzilla.suse.com/1037210
   https://bugzilla.suse.com/1038984
   https://bugzilla.suse.com/1045735
   https://bugzilla.suse.com/1048315
   https://bugzilla.suse.com/1054088
   https://bugzilla.suse.com/1070851
   https://bugzilla.suse.com/1076192
   https://bugzilla.suse.com/1088705
   https://bugzilla.suse.com/1091624
   https://bugzilla.suse.com/1092413
   https://bugzilla.suse.com/1096803
   https://bugzilla.suse.com/1100028
   https://bugzilla.suse.com/1101349
   https://bugzilla.suse.com/1102429

- -------------------------------------------------------------------------------

  SUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2688-1
Rating:             important
References:         #1036304 #1037210 #1038984 #1045735 #1048315
                    #1054088 #1070851 #1076192 #1079334 #1088705
                    #1091624 #1092413 #1096803 #1099847 #1100028
                    #1101349 #1102429
Cross-References:   CVE-2017-7435 CVE-2017-7436 CVE-2017-9269
                    CVE-2018-7685
Affected Products:
                    SUSE Linux Enterprise Server 12-LTSS
______________________________________________________________________________

   An update that solves four vulnerabilities and has 13 fixes
   is now available.

Description:

   This update for libzypp, zypper fixes the following issues:

   libzypp security fixes:

   - PackageProvider: Validate delta rpms before caching (bsc#1091624,
     bsc#1088705, CVE-2018-7685)
   - PackageProvider: Validate downloaded rpm package signatures before
     caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
   - Be sure bad packages do not stay in the cache (bsc#1045735,
     CVE-2017-9269)
   - Fix repo gpg check workflows, mainly for unsigned repos and packages
     (bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269)

   libzypp other changes/bugs fixed:

   - Update to version 14.45.17
   - RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling
     (bsc#1045735)
   - repo refresh: Re-probe if the repository type changes (bsc#1048315)
   - Use common workflow for downloading packages and srcpackages. This
     includes a common way of handling and reporting gpg signature and
     checks. (bsc#1037210)
   - PackageProvider: as well support downloading SrcPackage (for bsc#1037210)
   - Adapt to work with GnuPG 2.1.23 (bsc#1054088)
   - repo refresh: Re-probe if the repository type changes (bsc#1048315)
   - Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
   - RepoManager: Explicitly request repo2solv to generate application pseudo
     packages.
   - Prefer calling "repo2solv" rather than "repo2solv.sh"
   - libzypp-devel should not require cmake (bsc#1101349)
   - HardLocksFile: Prevent against empty commit without Target having been
     been loaded (bsc#1096803)
   - Avoid zombie tar processes (bsc#1076192)
   - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)

   zypper security fixes:

   - Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
   - add/modify repo: Add options to tune the GPG check settings
     (bsc#1045735, CVE-2017-9269)
   - Adapt download callback to report and handle unsigned packages
     (bsc#1038984, CVE-2017-7436)

   zypper other changes/bugs fixed:

   - Update to version 1.11.70
   - Bugfix: Prevent ESC sequence strings from going out of scope
     (bsc#1092413)
   - XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
   - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf
     (bsc#1100028)
   - ansi.h: Prevent ESC sequence strings from going out of scope
     (bsc#1092413)
   - do not recommend cron (bsc#1079334)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
   methods like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2018-1879=1



Package List:

   - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):

      libzypp-14.45.17-2.82.1
      libzypp-debuginfo-14.45.17-2.82.1
      libzypp-debugsource-14.45.17-2.82.1
      zypper-1.11.70-2.69.2
      zypper-debuginfo-1.11.70-2.69.2
      zypper-debugsource-1.11.70-2.69.2

   - SUSE Linux Enterprise Server 12-LTSS (noarch):

      zypper-log-1.11.70-2.69.2


References:

   https://www.suse.com/security/cve/CVE-2017-7435.html
   https://www.suse.com/security/cve/CVE-2017-7436.html
   https://www.suse.com/security/cve/CVE-2017-9269.html
   https://www.suse.com/security/cve/CVE-2018-7685.html
   https://bugzilla.suse.com/1036304
   https://bugzilla.suse.com/1037210
   https://bugzilla.suse.com/1038984
   https://bugzilla.suse.com/1045735
   https://bugzilla.suse.com/1048315
   https://bugzilla.suse.com/1054088
   https://bugzilla.suse.com/1070851
   https://bugzilla.suse.com/1076192
   https://bugzilla.suse.com/1079334
   https://bugzilla.suse.com/1088705
   https://bugzilla.suse.com/1091624
   https://bugzilla.suse.com/1092413
   https://bugzilla.suse.com/1096803
   https://bugzilla.suse.com/1099847
   https://bugzilla.suse.com/1100028
   https://bugzilla.suse.com/1101349
   https://bugzilla.suse.com/1102429

- -------------------------------------------------------------------------------

   SUSE Security Update: Security update for libzypp, zypper
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2690-1
Rating:             important
References:         #1036304 #1041178 #1043166 #1045735 #1058515
                    #1066215 #1070770 #1070851 #1082318 #1084525
                    #1088037 #1088705 #1091624 #1092413 #1093103
                    #1096217 #1096617 #1096803 #1099847 #1100028
                    #1100095 #1100427 #1101349 #1102019 #1102429
                    #408814 #428822 #907538
Cross-References:   CVE-2017-9269 CVE-2018-7685
Affected Products:
                    SUSE Linux Enterprise Module for Development Tools 15
                    SUSE Linux Enterprise Module for Basesystem 15
______________________________________________________________________________

   An update that solves two vulnerabilities and has 26 fixes
   is now available.

Description:

   This update for libzypp, zypper, libsolv provides the following fixes:

   Security fixes in libzypp:

   - CVE-2018-7685: PackageProvider: Validate RPMs before caching
     (bsc#1091624, bsc#1088705)
   - CVE-2017-9269: Be sure bad packages do not stay in the cache
     (bsc#1045735)

   Changes in libzypp:

   - Update to version 17.6.4
   - Automatically fetch repository signing key from gpgkey url (bsc#1088037)
   - lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
   - Check for not imported keys after multi key import from rpmdb
     (bsc#1096217)
   - Flags: make it std=c++14 ready
   - Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
   - Show GPGME version in log
   - Adapt to changes in libgpgme11-11.1.0 breaking the signature
     verification (bsc#1100427)
   - RepoInfo::provideKey: add report telling where we look for missing keys.
   - Support listing gpgkey URLs in repo files (bsc#1088037)
   - Add new report to request user approval for importing a package key
   - Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
   - Add filesize check for downloads with known size (bsc#408814)
   - Removed superfluous space in translation (bsc#1102019)
   - Prevent the system from sleeping during a commit
   - RepoManager: Explicitly request repo2solv to generate application pseudo
     packages.
   - libzypp-devel should not require cmake (bsc#1101349)
   - Avoid zombies from ExternalProgram
   - Update ApiConfig
   - HardLocksFile: Prevent against empty commit without Target having been
     been loaded (bsc#1096803)
   - lsof: use '-K i' if lsof supports it (bsc#1099847)
   - Add filesize check for downloads with known size (bsc#408814)
   - Fix detection of metalink downloads and prevent aborting if a metalink
     file is larger than the expected data file.
   - Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
   - Make use of %license macro (bsc#1082318)

   Security fix in zypper:

   - CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

   Changes in zypper:

   - Always set error status if any nr of unknown repositories are passed to
     lr and ref (bsc#1093103)
   - Notify user about unsupported rpm V3 keys in an old rpm database
     (bsc#1096217)
   - Detect read only filesystem on system modifying operations (fixes #199)
   - Use %license (bsc#1082318)
   - Handle repo aliases containing multiple ':' in the PackageArgs parser
     (bsc #1041178)
   - Fix broken display of detailed query results.
   - Fix broken search for items with a dash. (bsc#907538, bsc#1043166,
     bsc#1070770)
   - Disable repository operations when searching installed packages.
     (bsc#1084525)
   - Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
   - ansi.h: Prevent ESC sequence strings from going out of scope.
     (bsc#1092413)
   - Fix some translation errors.
   - Support listing gpgkey URLs in repo files (bsc#1088037)
   - Check for root privileges in zypper verify and si (bsc#1058515)
   - XML <install-summary> attribute `packages-to-change` added (bsc#1102429)
   - Add expert (allow-*) options to all installer commands (bsc#428822)
   - Sort search results by multiple columns (bsc#1066215)
   - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf
     (bsc#1100028)
   - Set error status if repositories passed to lr and ref are not known
     (bsc#1093103)
   - Do not override table style in search
   - Fix out of bound read in MbsIterator
   - Add --supplements switch to search and info
   - Add setter functions for zypp cache related config values to ZConfig

   Changes in libsolv:

   - convert repo2solv.sh script into a binary tool
   - Make use of %license macro (bsc#1082318)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation
   methods like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Development Tools 15:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1883=1

   - SUSE Linux Enterprise Module for Basesystem 15:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1883=1



Package List:

   - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le
     s390x x86_64):

      libsolv-debuginfo-0.6.35-3.5.2
      libsolv-debugsource-0.6.35-3.5.2
      perl-solv-0.6.35-3.5.2
      perl-solv-debuginfo-0.6.35-3.5.2
      python3-solv-0.6.35-3.5.2
      python3-solv-debuginfo-0.6.35-3.5.2
      ruby-solv-0.6.35-3.5.2
      ruby-solv-debuginfo-0.6.35-3.5.2

   - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x
     x86_64):

      libsolv-debuginfo-0.6.35-3.5.2
      libsolv-debugsource-0.6.35-3.5.2
      libsolv-devel-0.6.35-3.5.2
      libsolv-devel-debuginfo-0.6.35-3.5.2
      libsolv-tools-0.6.35-3.5.2
      libsolv-tools-debuginfo-0.6.35-3.5.2
      libzypp-17.6.4-3.10.1
      libzypp-debuginfo-17.6.4-3.10.1
      libzypp-debugsource-17.6.4-3.10.1
      libzypp-devel-17.6.4-3.10.1
      python-solv-0.6.35-3.5.2
      python-solv-debuginfo-0.6.35-3.5.2
      zypper-1.14.10-3.7.1
      zypper-debuginfo-1.14.10-3.7.1
      zypper-debugsource-1.14.10-3.7.1

   - SUSE Linux Enterprise Module for Basesystem 15 (noarch):

      zypper-log-1.14.10-3.7.1


References:

   https://www.suse.com/security/cve/CVE-2017-9269.html
   https://www.suse.com/security/cve/CVE-2018-7685.html
   https://bugzilla.suse.com/1036304
   https://bugzilla.suse.com/1041178
   https://bugzilla.suse.com/1043166
   https://bugzilla.suse.com/1045735
   https://bugzilla.suse.com/1058515
   https://bugzilla.suse.com/1066215
   https://bugzilla.suse.com/1070770
   https://bugzilla.suse.com/1070851
   https://bugzilla.suse.com/1082318
   https://bugzilla.suse.com/1084525
   https://bugzilla.suse.com/1088037
   https://bugzilla.suse.com/1088705
   https://bugzilla.suse.com/1091624
   https://bugzilla.suse.com/1092413
   https://bugzilla.suse.com/1093103
   https://bugzilla.suse.com/1096217
   https://bugzilla.suse.com/1096617
   https://bugzilla.suse.com/1096803
   https://bugzilla.suse.com/1099847
   https://bugzilla.suse.com/1100028
   https://bugzilla.suse.com/1100095
   https://bugzilla.suse.com/1100427
   https://bugzilla.suse.com/1101349
   https://bugzilla.suse.com/1102019
   https://bugzilla.suse.com/1102429
   https://bugzilla.suse.com/408814
   https://bugzilla.suse.com/428822
   https://bugzilla.suse.com/907538

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5inIGaOgq3Tt24GAQjxZg//YuX8oW3faibDnioXkU91QvlNS8RIUDeH
uEQoXarYV7rPa0qcRplPF9aUNho98FfdMNgvuwsZjZuupOVeyFFDrJHV6Dqxeirz
uz5i9xKBWQk1o2lwwxjWTXvQHxGP8rv1Xjdfx9Efiqp7StzX0npZHRmRaBqcNew/
tJapb9qJQ4stGlM32bmWUDpwN28dDFuVPGD5pIzvG6z3t812iiJsacWy0BR8fxbB
6f2LXqmJgKBbKJwm2ceHGl70eOujYy4Dv5dA96CZFyLhsL3ElNYKVHtKhGAZWMzI
fo+LdPuxe1uLDQZkNnPdd3L3yg5fzrsG1actom/L+FuyoLuHoVCEmnOaqsPWLDqB
9HaG4AON9avcuXQ0j2RX7JiS5qRFQLhvnqUqJZ5cAA0ItZZxnb4auYYAmmfGu9KS
DE39/0PTPL9045O+eR1d+VD/wOhiaoNoGC6j+fs3D2v6Sc6gXXy637NOrHwOsVBW
zNuE77FBcZOmHlF14CBi6qziidGJLq6uDKrystXyzPBcgVVlD7ziBckuVk5VQXNp
q695z//PUQoLIRVB1Ex+F5ciiF2zxDNIa5bdi8GSJNlWitRZozCZZ6zxwHrNCWsL
qzq/i4kHaXFRo14nflzXgXm9miwYol4IYOLQ/MAuYf6Xit4rJBvURQ8Du/WgFVkv
sltQBXz+djg=
=0xy9
-----END PGP SIGNATURE-----

« Back to bulletins