File _patchinfo of Package patchinfo.8213
<patchinfo incident="8213"> <issue id="1102429" tracker="bnc">Enhance zypper dup --dry-run output by number of packages</issue> <issue id="1092413" tracker="bnc">Zypper core dump</issue> <issue id="1101349" tracker="bnc">libzypp-devel should not require cmake</issue> <issue id="1091624" tracker="bnc">VUL-0: CVE-2018-7685: libzypp: Installs unsigned packages after previous canceled run without further warning</issue> <issue id="1070851" tracker="bnc">502 Bad Gateway in update OS</issue> <issue id="1045735" tracker="bnc">VUL-0: CVE-2017-9269: libzypp: Missing key pinning allows mirrors to exchange content undetected</issue> <issue id="1099847" tracker="bnc">[zypper ps] lsof >= 4.90 hangs for a long time</issue> <issue id="1100028" tracker="bnc">zypper -c/--config <file> fails to override default /etc/zypp/zypp*.conf</issue> <issue id="1076192" tracker="bnc">YaST2 installer produces zombie tar processes</issue> <issue id="1096803" tracker="bnc">zypper "Reading installed packages" takes long time</issue> <issue id="1036304" tracker="bnc">L3-Question: poor lsof performance with lots of open files</issue> <issue id="1079334" tracker="bnc">Zypper recommends cron</issue> <issue id="1088705" tracker="bnc">L3-Question: zypper installs unsigned packages after previous canceled run even not ignored etc.</issue> <issue id="1049825" tracker="bnc">zypper bash completion expands non-existing options</issue> <issue tracker="cve" id="2018-7685"/> <issue tracker="cve" id="2017-9269"/> <category>security</category> <rating>important</rating> <packager>mlandres</packager> <description>This update for libzypp, zypper provides the following fixes: Update libzypp to version 16.17.20 Security issues fixed: - PackageProvider: Validate delta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45 Security issue fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML <install-summary> attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - do not recommend cron (bsc#1079334) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) </description> <summary>Security update for libzypp, zypper</summary> <zypp_restart_needed/> </patchinfo>
