Recommended update for libzypp, zypper, libsolv and PackageKit

Announcement ID: SUSE-RU-2019:2742-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2018-20532 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-20533 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2018-20534 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2018-20534 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
  • Basesystem Module 15-SP1
  • Desktop Applications Module 15-SP1
  • Development Tools Module 15-SP1
  • SUSE Linux Enterprise Desktop 15 SP1
  • SUSE Linux Enterprise High Performance Computing 15 SP1
  • SUSE Linux Enterprise Real Time 15 SP1
  • SUSE Linux Enterprise Server 15 SP1
  • SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP1
  • SUSE Linux Enterprise Workstation Extension 15 SP1
  • SUSE Manager Proxy 4.0
  • SUSE Manager Retail Branch Server 4.0
  • SUSE Manager Server 4.0
  • SUSE Package Hub 15 15-SP1

An update that solves three vulnerabilities and has 18 fixes can now be installed.

Description:

This update for libzypp, zypper, libsolv and PackageKit fixes the following issues:

Security issues fixed in libsolv:

  • CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
  • CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
  • CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).

Other issues addressed in libsolv:

  • Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
  • Fixed an issue with the package name (bsc#1131823).
  • repo_add_rpmdb: do not copy bad solvables from the old solv file
  • Fixed an issue with cleandeps updates in which all packages were not updated
  • Experimental DISTTYPE_CONDA and REL_CONDA support
  • Fixed cleandeps jobs when using patterns (bsc#1137977)
  • Fixed favorq leaking between solver runs if the solver is reused
  • Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason
  • Be more correct with multiversion packages that obsolete their own name (bnc#1127155)
  • Fix repository priority handling for multiversion packages
  • Make code compatible with swig 4.0, remove obj0 instances
  • repo2solv: support zchunk compressed data
  • Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives

Issues fixed in libzypp:

  • Fix empty metalink downloads if filesize is unknown (bsc#1153557)
  • Recognize riscv64 as architecture
  • Fix installation of new header file (fixes #185)
  • zypp.conf: Introduce solver.focus to define the resolvers general attitude when resolving jobs. (bsc#1146415)
  • New container detection algorithm for zypper ps (bsc#1146947)
  • Fix leaking filedescriptors in MediaCurl. (bsc#1116995)
  • Run file conflict check on dry-run. (bsc#1140039)
  • Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795)
  • Rephrase file conflict check summary. (bsc#1140039)
  • Fix bash completions option detection. (bsc#1049825)
  • Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521)
  • Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027)
  • PublicKey::algoName: supply key algorithm and length

Issues fixed in zypper:

  • Update to version 1.14.30
  • Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521)
  • Dump stacktrace on SIGPIPE (bsc#1145521)
  • info: The requested info must be shown in QUIET mode (fixes #287)
  • Fix local/remote url classification.
  • Rephrase file conflict check summary (bsc#1140039)
  • Fix bash completions option detection (bsc#1049825)
  • man: split '--with[out]' like options to ease searching.
  • Unhided 'ps' command in help
  • Added option to show more conflict information
  • Rephrased zypper ps hint (bsc#859480)
  • Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226)
  • Fixed unknown package handling in zypper install (bsc#1127608)
  • Re-show progress bar after pressing retry upon install error (bsc#1131113)

Issues fixed in PackageKit:

  • Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306).

Special Instructions and Notes:

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Basesystem Module 15-SP1
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2742=1
  • Desktop Applications Module 15-SP1
    zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-2742=1
  • Development Tools Module 15-SP1
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2019-2742=1
  • SUSE Package Hub 15 15-SP1
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2019-2742=1
  • SUSE Linux Enterprise Workstation Extension 15 SP1
    zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-2742=1

Package List:

  • Basesystem Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    • libzypp-debugsource-17.15.0-3.9.1
    • libyui-qt-pkg-debugsource-2.45.27-3.3.5
    • libsolv-devel-debuginfo-0.7.6-3.7.2
    • libyui-qt-pkg9-2.45.27-3.3.5
    • libsolv-debugsource-0.7.6-3.7.2
    • libsolv-debuginfo-0.7.6-3.7.2
    • libyui-ncurses-pkg9-debuginfo-2.48.9-7.3.5
    • libsolv-tools-0.7.6-3.7.2
    • yast2-pkg-bindings-debuginfo-4.1.2-3.3.5
    • python3-solv-0.7.6-3.7.2
    • zypper-1.14.30-3.7.2
    • libzypp-17.15.0-3.9.1
    • yast2-pkg-bindings-debugsource-4.1.2-3.3.5
    • libsolv-tools-debuginfo-0.7.6-3.7.2
    • python3-solv-debuginfo-0.7.6-3.7.2
    • libyui-ncurses-pkg9-2.48.9-7.3.5
    • yast2-pkg-bindings-4.1.2-3.3.5
    • zypper-debuginfo-1.14.30-3.7.2
    • libyui-qt-pkg9-debuginfo-2.45.27-3.3.5
    • libyui-ncurses-pkg-debugsource-2.48.9-7.3.5
    • zypper-debugsource-1.14.30-3.7.2
    • libsolv-devel-0.7.6-3.7.2
    • libzypp-debuginfo-17.15.0-3.9.1
    • libzypp-devel-17.15.0-3.9.1
    • libyui-ncurses-pkg-devel-2.48.9-7.3.5
  • Basesystem Module 15-SP1 (noarch)
    • libyui-qt-pkg-doc-2.45.27-3.3.3
    • libyui-ncurses-pkg-doc-2.48.9-7.3.3
    • zypper-needs-restarting-1.14.30-3.7.2
    • zypper-log-1.14.30-3.7.2
  • Desktop Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    • libpackagekit-glib2-18-1.1.10-12.3.5
    • PackageKit-1.1.10-12.3.5
    • typelib-1_0-PackageKitGlib-1_0-1.1.10-12.3.5
    • libyui-qt-pkg-debugsource-2.45.27-3.3.5
    • libyui-qt-pkg-devel-2.45.27-3.3.5
    • PackageKit-debugsource-1.1.10-12.3.5
    • PackageKit-debuginfo-1.1.10-12.3.5
    • PackageKit-devel-1.1.10-12.3.5
    • PackageKit-devel-debuginfo-1.1.10-12.3.5
    • libpackagekit-glib2-devel-1.1.10-12.3.5
    • PackageKit-backend-zypp-debuginfo-1.1.10-12.3.5
    • PackageKit-backend-zypp-1.1.10-12.3.5
    • libpackagekit-glib2-18-debuginfo-1.1.10-12.3.5
  • Desktop Applications Module 15-SP1 (noarch)
    • PackageKit-lang-1.1.10-12.3.5
  • Development Tools Module 15-SP1 (aarch64 ppc64le s390x x86_64)
    • perl-solv-0.7.6-3.7.2
    • ruby-solv-debuginfo-0.7.6-3.7.2
    • perl-solv-debuginfo-0.7.6-3.7.2
    • libsolv-debugsource-0.7.6-3.7.2
    • libsolv-debuginfo-0.7.6-3.7.2
    • ruby-solv-0.7.6-3.7.2
  • SUSE Package Hub 15 15-SP1 (aarch64 ppc64le s390x x86_64)
    • python-solv-debuginfo-0.7.6-3.7.2
    • libsolv-debuginfo-0.7.6-3.7.2
    • python-solv-0.7.6-3.7.2
    • libsolv-debugsource-0.7.6-3.7.2
  • SUSE Linux Enterprise Workstation Extension 15 SP1 (x86_64)
    • PackageKit-gstreamer-plugin-1.1.10-12.3.5
    • PackageKit-gtk3-module-1.1.10-12.3.5
    • PackageKit-gtk3-module-debuginfo-1.1.10-12.3.5
    • PackageKit-debugsource-1.1.10-12.3.5
    • PackageKit-debuginfo-1.1.10-12.3.5
    • PackageKit-gstreamer-plugin-debuginfo-1.1.10-12.3.5

References: