openSUSE Security Update: Security update for zypper, libzypp and libsolv
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1927-1
Rating: moderate
References: #1047962 #1049826 #1053177 #1065022 #1099019
#1102261 #1110542 #1111319 #1112911 #1113296
#1114908 #1115341 #1116840 #1118758 #1119373
#1119820 #1119873 #1120263 #1120463 #1120629
#1120630 #1120631 #1121611 #1122062 #1122471
#1123137 #1123681 #1123843 #1123865 #1123967
#1124897 #1125415 #1127026 #1127155 #1127220
#1130161 #1131823 #1135749 #1137977 #663358
#764147 #965786 #978193 #993025
Cross-References: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves three vulnerabilities and has 41
fixes is now available.

Description:

This update for libzypp and libsolv fixes the following issues:

Security issues fixed:

– CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c
(function testcase_read) (bsc#1120629).
– CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c
(function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
– CVE-2018-20534: Fixed illegal address access at src/pool.h (function
pool_whatprovides) in libsolv.a (bsc#1120631).

Fixed bugs and enhancements:

– make cleandeps jobs on patterns work (bnc#1137977)
– Fixed an issue where libsolv failed to build against swig 4.0 by
updating the version to 0.7.5 (bsc#1135749).
– Virtualization host upgrade from SLES-15 to SLES-15-SP1 finished with
wrong product name shown up (bsc#1131823).
– Copy pattern categories from the rpm that defines the pattern
(fate#323785).
– Enhance scanning /sys for modaliases (bsc#1130161).
– Prevent SEGV if the application sets an empty TextLocale (bsc#1127026).
– Handle libgpgme error when gpg key is not completely read and user hits
CTRL + C (bsc#1127220).
– Added a hint when registration codes have expired (bsc#965786).
– Adds a better handling of an error when verifying any repository medium
(bsc#1065022).
– Will now only write type field when probing (bsc#1114908).
– Fixes an issue where zypper has showed the info message ‘Installation
aborted by user’ while the installation was aborted by wicked
(bsc#978193).
– Suppresses reporting `/memfd:` pseudo files (bsc#1123843).
– Fixes an issue where zypper was not able to install or uninstall
packages when rpm is unavailable (bsc#1122471).
– Fixes an issue where locks were ignored (bsc#1113296).
– Simplify complex locks so zypper can display them (bsc#1112911).
– zypper will now set `SYSTEMD_OFFLINE=1` during chrooted commits
(bsc#1118758).
– no-recommends: Nevertheless consider resolver namespaces (hardware,
language,..supporting packages) (fate#325513).
– Removes world-readable bit from /var/log/zypp (bsc#1099019).
– Does no longer fail service-refresh on a empty repoindex.xml
(bsc#1116840).
– Fixes soname due to libsolv ABI changes (bsc#1115341).
– Add infrastructure to flag specific packages to trigger a reboot needed
hint (fate#326451).

This update for zypper 1.14.27 fixes the following issues:

– bash-completion: add package completion for addlock (bsc#1047962)
– bash-completion: fix incorrect detection of command names (bsc#1049826)

– Offer to change the ‘runSearchPackages’ config option at the prompt
(bsc#1119373, FATE#325599)
– Prompt: provide a ‘yes/no/always/never’ prompt.
– Prompt: support “#NUM” as answer to select the NUMth option…
– Augeas: enable writing back changed option values (to ~/.zypper.conf)
– removelocale: fix segfault
– Move needs-restarting command to subpackage (fixes #254)
– Allow empty string as argument (bsc#1125415)
– Provide a way to delete cache for volatile repositories (bsc#1053177)
– Adapt to boost-1.69 requiring explicit casts tribool->bool (fixes #255)
– Show support status in info if not unknown (bsc#764147)
– Fix installing plain rpm files with `zypper in` (bsc#1124897)
– Show only required info in the summary in quiet mode (bsc#993025)
– Stay with legacy behavior and return ZYPPER_EXIT_INF_REBOOT_NEEDED
only for patches. We don’t extend this return code to packages, although
they may also carry the ‘reboot-needed’ attribute. The preferred way to
test whether the system needs to be rebooted is `zypper
needs-rebooting`. (openSUSE/zypper#237)
– Skip repository on error (bsc#1123967)
– New commands for locale management: locales addlocale removelocale
Inspect and manipulate the systems `requested locales`, aka. the
languages software packages should try support by installing
translations, dictionaries and tools, as far as they are available.
– Don’t throw, just warn if options are repeated (bsc#1123865)
– Fix detection whether stdout is a tty (happened too late)
– Fix broken –plus-content switch (fixes bsc#1123681)
– Fix broken –replacefiles switch (fixes bsc#1123137)
– Extend zypper source-install (fixes bsc#663358)
– Fix inconsistent results for search (bsc#1119873)
– Show reboot hint in zypper ps and summary (fixes bsc#1120263)
– Improve handling of partially locked packages (bsc#1113296)
– Fix wrong default values in help text (bsc#1121611)
– Fixed broken argument parsing for –reposd-dir (bsc#1122062)
– Fix wrong zypp::indeterminate use (bsc#1120463)
– CLI parser: fix broken initialization enforcing ‘select by name’
(bsc#1119820)
– zypper.conf: [commit] autoAgreeWithLicenses {=false} (fixes #220)
– locks: Fix printing of versioned locks (bsc#1112911)
– locks: create and write versioned locks correctly (bsc#1112911)
– patch: –with update may implicitly assume –with-optional (bsc#1102261)
– no-recommends: Nevertheless consider resolver namespaces (hardware,
language,..supporting packages) (FATE#325513)
– Optionally run “zypper search-packages” after “search” (FATE#325599)
– zypper.conf: Add [search]runSearchPackages config variable.
– Don’t iterate twice on –no-cd (bsc#1111319)
– zypper-log: Make it Python 3 compatible
– man: mention /etc/zypp/needreboot config file (fate#326451, fixes #140)
– Add `needs-restarting` shell script and manpage (fate#326451)
– Add zypper needs-rebooting command (fate#326451)
– Introduce new zypper command framefork. Migrated commands so far:
addlock addrepo addservice clean cleanlocks modifyrepo modifyservice ps
refresh refresh-services removelock removerepo removeservice renamerepo
repos services
– MediaChangeReport: fix https URLs causing 2 prompts on error
(bsc#1110542)

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1927=1

Package List:

– openSUSE Leap 15.0 (i586 x86_64):

PackageKit-1.1.10-lp150.11.1
PackageKit-backend-zypp-1.1.10-lp150.11.1
PackageKit-backend-zypp-debuginfo-1.1.10-lp150.11.1
PackageKit-debuginfo-1.1.10-lp150.11.1
PackageKit-debugsource-1.1.10-lp150.11.1
PackageKit-devel-1.1.10-lp150.11.1
PackageKit-devel-debuginfo-1.1.10-lp150.11.1
PackageKit-gstreamer-plugin-1.1.10-lp150.11.1
PackageKit-gstreamer-plugin-debuginfo-1.1.10-lp150.11.1
PackageKit-gtk3-module-1.1.10-lp150.11.1
PackageKit-gtk3-module-debuginfo-1.1.10-lp150.11.1
libpackagekit-glib2-18-1.1.10-lp150.11.1
libpackagekit-glib2-18-debuginfo-1.1.10-lp150.11.1
libpackagekit-glib2-devel-1.1.10-lp150.11.1
libyui-ncurses-pkg-debugsource-2.48.5.2-lp150.7.1
libyui-ncurses-pkg-devel-2.48.5.2-lp150.7.1
libyui-ncurses-pkg8-2.48.5.2-lp150.7.1
libyui-ncurses-pkg8-debuginfo-2.48.5.2-lp150.7.1
libyui-qt-pkg-debugsource-2.45.15.2-lp150.7.1
libyui-qt-pkg-devel-2.45.15.2-lp150.7.1
libyui-qt-pkg8-2.45.15.2-lp150.7.1
libyui-qt-pkg8-debuginfo-2.45.15.2-lp150.7.1
typelib-1_0-PackageKitGlib-1_0-1.1.10-lp150.11.1
yast2-pkg-bindings-4.0.13-lp150.2.13.1
yast2-pkg-bindings-debuginfo-4.0.13-lp150.2.13.1
yast2-pkg-bindings-debugsource-4.0.13-lp150.2.13.1

– openSUSE Leap 15.0 (x86_64):

libpackagekit-glib2-18-32bit-1.1.10-lp150.11.1
libpackagekit-glib2-18-32bit-debuginfo-1.1.10-lp150.11.1
libpackagekit-glib2-devel-32bit-1.1.10-lp150.11.1
libsolv-debuginfo-0.7.5-lp150.7.1
libsolv-debugsource-0.7.5-lp150.7.1
libsolv-demo-0.7.5-lp150.7.1
libsolv-demo-debuginfo-0.7.5-lp150.7.1
libsolv-devel-0.7.5-lp150.7.1
libsolv-devel-debuginfo-0.7.5-lp150.7.1
libsolv-tools-0.7.5-lp150.7.1
libsolv-tools-debuginfo-0.7.5-lp150.7.1
libzypp-17.12.0-lp150.2.13.1
libzypp-debuginfo-17.12.0-lp150.2.13.1
libzypp-debugsource-17.12.0-lp150.2.13.1
libzypp-devel-17.12.0-lp150.2.13.1
libzypp-devel-doc-17.12.0-lp150.2.13.1
perl-solv-0.7.5-lp150.7.1
perl-solv-debuginfo-0.7.5-lp150.7.1
python-solv-0.7.5-lp150.7.1
python-solv-debuginfo-0.7.5-lp150.7.1
python3-solv-0.7.5-lp150.7.1
python3-solv-debuginfo-0.7.5-lp150.7.1
ruby-solv-0.7.5-lp150.7.1
ruby-solv-debuginfo-0.7.5-lp150.7.1
zypper-1.14.28-lp150.2.13.1
zypper-debuginfo-1.14.28-lp150.2.13.1
zypper-debugsource-1.14.28-lp150.2.13.1

– openSUSE Leap 15.0 (noarch):

PackageKit-branding-upstream-1.1.10-lp150.11.1
PackageKit-lang-1.1.10-lp150.11.1
zypper-aptitude-1.14.28-lp150.2.13.1
zypper-log-1.14.28-lp150.2.13.1
zypper-needs-restarting-1.14.28-lp150.2.13.1

References:

https://www.suse.com/security/cve/CVE-2018-20532.html
https://www.suse.com/security/cve/CVE-2018-20533.html
https://www.suse.com/security/cve/CVE-2018-20534.html
https://bugzilla.suse.com/1047962
https://bugzilla.suse.com/1049826
https://bugzilla.suse.com/1053177
https://bugzilla.suse.com/1065022
https://bugzilla.suse.com/1099019
https://bugzilla.suse.com/1102261
https://bugzilla.suse.com/1110542
https://bugzilla.suse.com/1111319
https://bugzilla.suse.com/1112911
https://bugzilla.suse.com/1113296
https://bugzilla.suse.com/1114908
https://bugzilla.suse.com/1115341
https://bugzilla.suse.com/1116840
https://bugzilla.suse.com/1118758
https://bugzilla.suse.com/1119373
https://bugzilla.suse.com/1119820
https://bugzilla.suse.com/1119873
https://bugzilla.suse.com/1120263
https://bugzilla.suse.com/1120463
https://bugzilla.suse.com/1120629
https://bugzilla.suse.com/1120630
https://bugzilla.suse.com/1120631
https://bugzilla.suse.com/1121611
https://bugzilla.suse.com/1122062
https://bugzilla.suse.com/1122471
https://bugzilla.suse.com/1123137
https://bugzilla.suse.com/1123681
https://bugzilla.suse.com/1123843
https://bugzilla.suse.com/1123865
https://bugzilla.suse.com/1123967
https://bugzilla.suse.com/1124897
https://bugzilla.suse.com/1125415
https://bugzilla.suse.com/1127026
https://bugzilla.suse.com/1127155
https://bugzilla.suse.com/1127220
https://bugzilla.suse.com/1130161
https://bugzilla.suse.com/1131823
https://bugzilla.suse.com/1135749
https://bugzilla.suse.com/1137977
https://bugzilla.suse.com/663358
https://bugzilla.suse.com/764147
https://bugzilla.suse.com/965786
https://bugzilla.suse.com/978193
https://bugzilla.suse.com/993025

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org