Overview

File _patchinfo of Package patchinfo.5191

<patchinfo incident="5191">
  <issue id="1047785" tracker="bnc">zypper reports an error to the user during repository refresh</issue>
  <issue id="1038984" tracker="bnc">VUL-0: CVE-2017-7435, CVE-2017-7436: libzypp: rpm-md repository security downgrade</issue>
  <issue id="1038132" tracker="bnc">L3: s390x add local ISO as repo fails - Mounting media failed overlapping loop device exists</issue>
  <issue id="1031756" tracker="bnc">add tumbleweed-update command</issue>
  <issue id="1045735" tracker="bnc">VUL-0: EMBARGOED: CVE-2017-9269: libzypp: Missing key pinning allows mirrors to exchange content undetected</issue>
  <issue id="1048315" tracker="bnc">Zypp fails to re-probe if the repository type changes (susetags&lt;&gt;repomd)</issue>
  <issue id="1009745" tracker="bnc">No Appstream data installed after installation</issue>
  <issue id="1043218" tracker="bnc">YaST crashes on installation of banshee</issue>
  <issue id="1033236" tracker="bnc">Use of Add-On ISO via NFS not working</issue>
  <issue id="2017-7435" tracker="cve" />
  <issue id="2017-7436" tracker="cve" />
  <issue id="2017-9269" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>mlandres</packager>
  <description>The Software Update Stack was updated to receive fixes and enhancements.

libzypp:

Security issues fixed:
- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned
  repositories and packages. (bsc#1045735, bsc#1038984)

Bug fixes:
- Re-probe on refresh if the repository type changes. (bsc#1048315)
- Propagate proper error code to DownloadProgressReport. (bsc#1047785)
- Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
- Support custom repo variables defined in /etc/zypp/vars.d.
- Adapt loop mounting of ISO images. (bsc#1038132, bsc#1033236)
- Fix potential crash if repository has no baseurl. (bsc#1043218)

zypper:

- Adapt download callback to report and handle unsigned packages. (bsc#1038984)
- Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785)
- Document support for custom repository variables defined in /etc/zypp/vars.d.
- Emphasize that it depends on how fast PackageKit will respond to a 'quit' request sent
  if PK blocks package management.
</description>
  <summary>Security update for libzypp, zypper</summary>
  <zypp_restart_needed/>
</patchinfo>
openSUSE Build Service is sponsored by
Places