SUSE Support

Here When You Need Us

CVE-2017-7435, CVE-2017-7436 and CVE-2017-9269: libzypp-16.15.2 and higher will no longer automatically accept unsigned packages / repositories.

This document (7021171) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Manager 3
SUSE Manager 3.1

Situation

Due to CVE-2017-7435, CVE-2017-7436 changes were made to the behaviour of libzypp to not allow unsigned packages or repositories by default.

Resolution

In the case of SUSE Manager, for a short period of time, libzypp-16.15.(>=2) will silently accept unsigned packages if a repositories gpgcheck configuration is explicitly turned off, for example:

gpgcheck      = 0
repo_gpgcheck = 0
pkg_gpgcheck  = 1

With libzypp-16.16.* the above configuration will reject unsigned packages.

With zypper-1.13.31 the following new options will be available to manage the behaviour changes for adding and modifying repositories:

    --gpgcheck (default: requires either signed repo or signed package)
        gpgcheck        = 1
    (repo_gpgcheck/pkg_gpgcheck unset: follow zypp.conf)

    --gpgcheck-strikt (requires signed package even for signed repos)
        gpgcheck        = 1
        repo_gpgcheck   = 1
        pkg_gpgcheck    = 1
 
    --gpgcheck-allow-unsigned  (allow repo and package to be unsigned)
        gpgcheck        = 1
        repo_gpgcheck   = 0
        pkg_gpgcheck    = 0

    --gpgcheck-allow-unsigned-repo  (allow repo to be unsigned)   
        gpgcheck        = 1
        repo_gpgcheck   = 0
        (pkg_gpgcheck unset: follow zypp.conf)

    --gpgcheck-allow-unsigned-package (allow package to be unsigned) 
        gpgcheck        = 1
        (repo_gpgcheck unset: follow zypp.conf)
        pkg_gpgcheck    = 0

Cause

The changes were needed to address security issues related to CVE-2017-7435, CVE-2017-7436 and CVE-2017-9269.

Additional Information

In the case for SUSE Manager where customers add their own unsigned packages into repositories, these used to be accepted by default without any warning. With the newer libzypp version however a warning will be shown:

File 'repomd.xml' from repository 'repo_name' is unsigned, continue? [yes/no] (no):

 and should it be a non-interactive run it will be declined by default.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7021171
  • Creation Date: 03-Aug-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Manager

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.