File _patchinfo of Package patchinfo.8217
<patchinfo incident="8217"> <issue id="1037210" tracker="bnc">yast2-pkg-bindings download of source packages would crash</issue> <issue id="1038984" tracker="bnc">VUL-0: CVE-2017-7435, CVE-2017-7436: libzypp: rpm-md repository security downgrade</issue> <issue id="1045735" tracker="bnc">VUL-0: CVE-2017-9269: libzypp: Missing key pinning allows mirrors to exchange content undetected</issue> <issue id="1048315" tracker="bnc">Zypp fails to re-probe if the repository type changes (susetags<>repomd)</issue> <issue id="1054088" tracker="bnc">failure to refresh repositories with GnuPG 2.1.23</issue> <issue id="1070851" tracker="bnc">502 Bad Gateway in update OS</issue> <issue id="1076192" tracker="bnc">YaST2 installer produces zombie tar processes</issue> <issue id="1079334" tracker="bnc">Zypper recommends cron</issue> <issue id="1088705" tracker="bnc">L3-Question: zypper installs unsigned packages after previous canceled run even not ignored etc.</issue> <issue id="1091624" tracker="bnc">VUL-0: CVE-2018-7685: libzypp: Installs unsigned packages after previous canceled run without further warning</issue> <issue id="1092413" tracker="bnc">Zypper core dump</issue> <issue id="1096803" tracker="bnc">zypper "Reading installed packages" takes long time</issue> <issue id="1100028" tracker="bnc">zypper -c/--config <file> fails to override default /etc/zypp/zypp*.conf</issue> <issue id="1101349" tracker="bnc">libzypp-devel should not require cmake</issue> <issue id="1102429" tracker="bnc">Enhance zypper dup --dry-run output by number of packages</issue> <issue id="1099847" tracker="bnc">[zypper ps] lsof >= 4.90 hangs for a long time</issue> <issue id="1036304" tracker="bnc">L3-Question: poor lsof performance with lots of open files</issue> <issue id="2017-7435" tracker="cve" /> <issue id="2017-7436" tracker="cve" /> <issue id="2017-9269" tracker="cve" /> <issue id="2018-7685" tracker="cve" /> <category>security</category> <rating>important</rating> <packager>mlandres</packager> <description>This update for libzypp, zypper fixes the following issues: libzypp security fixes: - PackageProvider: Validate delta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - Be sure bad packages do not stay in the cache (bsc#1045735, CVE-2017-9269) - Fix repo gpg check workflows, mainly for unsigned repos and packages (bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269) libzypp other changes/bugs fixed: - Update to version 14.45.17 - RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735) - repo refresh: Re-probe if the repository type changes (bsc#1048315) - Use common workflow for downloading packages and srcpackages. This includes a common way of handling and reporting gpg signature and checks. (bsc#1037210) - PackageProvider: as well support downloading SrcPackage (for bsc#1037210) - Adapt to work with GnuPG 2.1.23 (bsc#1054088) - repo refresh: Re-probe if the repository type changes (bsc#1048315) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - Prefer calling "repo2solv" rather than "repo2solv.sh" - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) zypper security fixes: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) - Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436) zypper other changes/bugs fixed: - Update to version 1.11.70 - Bugfix: Prevent ESC sequence strings from going out of scope (bsc#1092413) - XML <install-summary> attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - do not recommend cron (bsc#1079334) </description> <summary>Security update for libzypp, zypper</summary> <zypp_restart_needed/> </patchinfo>
