File _patchinfo of Package patchinfo.8211

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.8211

<patchinfo incident="8211">
  <issue tracker="bnc" id="1101349">libzypp-devel should not require cmake</issue>
  <issue tracker="bnc" id="1092413">Zypper core dump</issue>
  <issue tracker="bnc" id="1076192">YaST2 installer produces zombie tar processes</issue>
  <issue tracker="bnc" id="1096803">zypper "Reading installed packages" takes long time</issue>
  <issue tracker="bnc" id="1100028">zypper -c/--config &lt;file&gt; fails to override default /etc/zypp/zypp*.conf</issue>
  <issue id="1037210" tracker="bnc">yast2-pkg-bindings download of source packages would crash</issue>
  <issue id="1038984" tracker="bnc">VUL-0: CVE-2017-7435, CVE-2017-7436: libzypp: rpm-md repository security downgrade</issue>
  <issue id="1045735" tracker="bnc">VUL-0: CVE-2017-9269: libzypp: Missing key pinning allows mirrors to exchange content undetected</issue>
  <issue id="1048315" tracker="bnc">Zypp fails to re-probe if the repository type changes</issue>
  <issue id="1054088" tracker="bnc">failure to refresh repositories with GnuPG 2.1.23</issue>
  <issue id="1070851" tracker="bnc">502 Bad Gateway in update OS</issue>
  <issue id="1088705" tracker="bnc">L3-Question: zypper installs unsigned packages after previous canceled run even not ignored etc.</issue>
  <issue id="1091624" tracker="bnc">VUL-0: CVE-2018-7685: libzypp: Installs unsigned packages after previous canceled run without further warning</issue>
  <issue id="1102429" tracker="bnc">Enhance zypper dup --dry-run output by number of packages</issue>
  <issue id="2017-7435" tracker="cve"/>
  <issue id="2017-7436" tracker="cve"/>
  <issue id="2017-9269" tracker="cve"/>
  <issue id="2018-7685" tracker="cve"/>
  <category>security</category>
  <rating>important</rating>
  <packager>mlandres</packager>
  <description>This update for libzypp, zypper provides the following fixes:

libzypp security fixes:

- CVE-2018-7685: Validate RPMs before caching (bsc#1091624, bsc#1088705)
- CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)
- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix repo gpg check workflows,
  mainly for unsigned repos and packages (bsc#1045735, bsc#1038984)

libzypp changes:

- RepoManager: Explicitly request repo2solv to generate application pseudo packages.
- Prefer calling "repo2solv" rather than "repo2solv.sh".
- libzypp-devel should not require cmake. (bsc#1101349)
- HardLocksFile: Prevent against empty commit without Target having been loaded. (bsc#1096803)
- Avoid zombie tar processes. (bsc#1076192)
- man: Make sure that '--config FILE' affects zypper.conf, not zypp.conf. (bsc#1100028)
- ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413)
- RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735)
- repo refresh: Re-probe if the repository type changes (bsc#1048315)
- Use common workflow for downloading packages and srcpackages. This includes a
  common way of handling and reporting gpg signature and checks. (bsc#1037210)
- PackageProvider: as well support downloading SrcPackage (for bsc#1037210)
- Adapt to work with GnuPG 2.1.23 (bsc#1054088)
  Use 'gpg --list-packets' to determine the keyid to verify a signature.
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)

zypper security fixes:

- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
- add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269)
- Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436)

zypper changes:

- download: fix crash when non-package types are passed as argument (bsc#1037210)
- XML &lt;install-summary&gt; attribute `packages-to-change` added (bsc#1102429)
</description>
  <summary>Security update for libzypp, zypper</summary>
  <zypp_restart_needed/>
</patchinfo>

Places

File _patchinfo of Package patchinfo.8211

Places