Overview
Security update for libzypp, zypper

This update for libzypp, zypper, libsolv provides the following fixes:

Security fixes in libzypp:

- CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705)
- CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)

Changes in libzypp:

- Update to version 17.6.4
- Automatically fetch repository signing key from gpgkey url (bsc#1088037)
- lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)
- Check for not imported keys after multi key import from rpmdb (bsc#1096217)
- Flags: make it std=c++14 ready
- Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)
- Show GPGME version in log
- Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427)
- RepoInfo::provideKey: add report telling where we look for missing keys.
- Support listing gpgkey URLs in repo files (bsc#1088037)
- Add new report to request user approval for importing a package key
- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
- Add filesize check for downloads with known size (bsc#408814)
- Removed superfluous space in translation (bsc#1102019)
- Prevent the system from sleeping during a commit
- RepoManager: Explicitly request repo2solv to generate application pseudo packages.
- libzypp-devel should not require cmake (bsc#1101349)
- Avoid zombies from ExternalProgram
- Update ApiConfig
- HardLocksFile: Prevent against empty commit without Target having
been been loaded (bsc#1096803)
- lsof: use '-K i' if lsof supports it (bsc#1099847)
- Add filesize check for downloads with known size (bsc#408814)
- Fix detection of metalink downloads and prevent aborting if a metalink file
is larger than the expected data file.
- Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)
- Make use of %license macro (bsc#1082318)

Security fix in zypper:

- CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

Changes in zypper:

- Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103)
- Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217)
- Detect read only filesystem on system modifying operations (fixes #199)
- Use %license (bsc#1082318)
- Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178)
- Fix broken display of detailed query results.
- Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770)
- Disable repository operations when searching installed packages. (bsc#1084525)
- Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)
- ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413)
- Fix some translation errors.
- Support listing gpgkey URLs in repo files (bsc#1088037)
- Check for root privileges in zypper verify and si (bsc#1058515)
- XML attribute `packages-to-change` added (bsc#1102429)
- Add expert (allow-*) options to all installer commands (bsc#428822)
- Sort search results by multiple columns (bsc#1066215)
- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
- Set error status if repositories passed to lr and ref are not known (bsc#1093103)
- Do not override table style in search
- Fix out of bound read in MbsIterator
- Add --supplements switch to search and info
- Add setter functions for zypp cache related config values to ZConfig

Changes in libsolv:

- convert repo2solv.sh script into a binary tool
- Make use of %license macro (bsc#1082318)

This update was imported from the SUSE:SLE-15:Update update project.

Fixed bugs
bnc#1036304
L3-Question: poor lsof performance with lots of open files
bnc#1041178
Zypper fails to resolve `repo :package` argument if repo alias contains ':'
bnc#1096217
[Migration] after upgrade from SLES11SP4 to SLES15: zypper output message: "warning: Unsupported version of key: V3
bnc#1092413
Zypper core dump
bnc#1084525
zypper should disable repository operations when searching installed packages
bnc#1096617
zypper ps says sddm-greeter is using deleted file /var/lib/sddm/#3722510 even after reboot.
bnc#907538
zypper shell search parsing minus
bnc#1043166
Inconsistency in zypper search
bnc#1070770
zypper broken search matchinmg for items with dash
bnc#1100095
installling updates/zypper patch claims to remove firefox
bnc#1058515
zypper si -d does not check for root permissions
bnc#1066215
zypper's se --sort-by-x feature does 1st-level sorting and randomizes 2nd-level sort
bnc#1070851
502 Bad Gateway in update OS
bnc#1088037
gpgkey= entry ignored for rpm-md repositories
bnc#1088705
L3-Question: zypper installs unsigned packages after previous canceled run even not ignored etc.
bnc#1091624
VUL-0: CVE-2018-7685: libzypp: Installs unsigned packages after previous canceled run without further warning
bnc#1093103
Inconsistent 'zypper ref' return values
bnc#1096803
zypper "Reading installed packages" takes long time
bnc#1099847
[zypper ps] lsof >= 4.90 hangs for a long time
bnc#1100028
zypper -c/--config file fails to override default /etc/zypp/zypp*.conf
bnc#1100427
Unable to install linux kernel via dud
bnc#1101349
libzypp-devel should not require cmake
bnc#1102019
zypper: space too much in german output
bnc#1102429
Enhance zypper dup --dry-run output by number of packages
bnc#408814
VUL-1: libzypp: prevent downloads with infinite size
bnc#428822
Zypp vendor change: ask once per session
bnc#1045735
VUL-0: CVE-2017-9269: libzypp: Missing key pinning allows mirrors to exchange content undetected
bnc#1082318
Packages must not mark license files as %doc
CVE-2018-7685
CVE-2017-9269
Selected Binaries
openSUSE Build Service is sponsored by
Places