File _patchinfo of Package patchinfo.8211
<patchinfo incident="8211"> <issue tracker="bnc" id="1101349">libzypp-devel should not require cmake</issue> <issue tracker="bnc" id="1092413">Zypper core dump</issue> <issue tracker="bnc" id="1076192">YaST2 installer produces zombie tar processes</issue> <issue tracker="bnc" id="1096803">zypper "Reading installed packages" takes long time</issue> <issue tracker="bnc" id="1100028">zypper -c/--config <file> fails to override default /etc/zypp/zypp*.conf</issue> <issue id="1037210" tracker="bnc">yast2-pkg-bindings download of source packages would crash</issue> <issue id="1038984" tracker="bnc">VUL-0: CVE-2017-7435, CVE-2017-7436: libzypp: rpm-md repository security downgrade</issue> <issue id="1045735" tracker="bnc">VUL-0: CVE-2017-9269: libzypp: Missing key pinning allows mirrors to exchange content undetected</issue> <issue id="1048315" tracker="bnc">Zypp fails to re-probe if the repository type changes</issue> <issue id="1054088" tracker="bnc">failure to refresh repositories with GnuPG 2.1.23</issue> <issue id="1070851" tracker="bnc">502 Bad Gateway in update OS</issue> <issue id="1088705" tracker="bnc">L3-Question: zypper installs unsigned packages after previous canceled run even not ignored etc.</issue> <issue id="1091624" tracker="bnc">VUL-0: CVE-2018-7685: libzypp: Installs unsigned packages after previous canceled run without further warning</issue> <issue id="1102429" tracker="bnc">Enhance zypper dup --dry-run output by number of packages</issue> <issue id="2017-7435" tracker="cve"/> <issue id="2017-7436" tracker="cve"/> <issue id="2017-9269" tracker="cve"/> <issue id="2018-7685" tracker="cve"/> <category>security</category> <rating>important</rating> <packager>mlandres</packager> <description>This update for libzypp, zypper provides the following fixes: libzypp security fixes: - CVE-2018-7685: Validate RPMs before caching (bsc#1091624, bsc#1088705) - CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735) - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix repo gpg check workflows, mainly for unsigned repos and packages (bsc#1045735, bsc#1038984) libzypp changes: - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - Prefer calling "repo2solv" rather than "repo2solv.sh". - libzypp-devel should not require cmake. (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been loaded. (bsc#1096803) - Avoid zombie tar processes. (bsc#1076192) - man: Make sure that '--config FILE' affects zypper.conf, not zypp.conf. (bsc#1100028) - ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413) - RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735) - repo refresh: Re-probe if the repository type changes (bsc#1048315) - Use common workflow for downloading packages and srcpackages. This includes a common way of handling and reporting gpg signature and checks. (bsc#1037210) - PackageProvider: as well support downloading SrcPackage (for bsc#1037210) - Adapt to work with GnuPG 2.1.23 (bsc#1054088) Use 'gpg --list-packets' to determine the keyid to verify a signature. - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) zypper security fixes: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) - Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436) zypper changes: - download: fix crash when non-package types are passed as argument (bsc#1037210) - XML <install-summary> attribute `packages-to-change` added (bsc#1102429) </description> <summary>Security update for libzypp, zypper</summary> <zypp_restart_needed/> </patchinfo>
