File _patchinfo of Package patchinfo.10948
<patchinfo incident="10948">
<issue tracker="bnc" id="1135749">[Staging] libsolv fails to build against swig 4.0</issue>
<issue tracker="bnc" id="1127155">Partner-L3: OES2018 SP1 Update 1: Conflict occured while applying the OES2018 SP1 Update1 patch.</issue>
<issue tracker="bnc" id="1123137">--replacefiles doesn't work when install perl-DBD-SQLite</issue>
<issue tracker="bnc" id="1102261">"zypper patch --with update" should implicitly assume "--with-optional" and not tell me that I need to do something more to install optional patches, since it will install them anyway</issue>
<issue tracker="bnc" id="1119373">Undecided in zypper.conf for run "zypper se" + various UI issues</issue>
<issue tracker="bnc" id="764147">zypper could display support info if available</issue>
<issue tracker="bnc" id="1112911">L3-Question: zypper locks display is broken</issue>
<issue tracker="bnc" id="1049826">zypper bash completion does not handle short command line switches</issue>
<issue tracker="bnc" id="993025">do not show the packages that will not get updated in quiet mode</issue>
<issue tracker="bnc" id="1125415">zypper: refresh disabled repos</issue>
<issue tracker="bnc" id="1120463">Zypper dup does not allow changing the vendor of installed resolvables</issue>
<issue tracker="bnc" id="1110542">Zypper resolution prompt appears twice</issue>
<issue tracker="bnc" id="1121611">Repositories added from .repo file are not set to auto-refresh but `zypper ar --help` and the man page tells otherwise</issue>
<issue tracker="bnc" id="1053177">zypper ref -f doesn't refresh cache for CD/DVD</issue>
<issue tracker="bnc" id="1047962">Autocomplete for package names does not work for specific zypper commands</issue>
<issue tracker="bnc" id="1111319">transactional-update package get's deinstalled</issue>
<issue tracker="bnc" id="1123681">zypper --plus-content <TAG> is broken</issue>
<issue tracker="bnc" id="1119873">zypper search: inconsistent results for `-t package kernel-default` vs `package:kernel-default`</issue>
<issue tracker="bnc" id="1122062">[1.14.20] Image build fails with "The flag reposd-dir requires a argument."</issue>
<issue tracker="bnc" id="1120263">zypper ps should mention "reboot needed</issue>
<issue tracker="bnc" id="1123865">Regression: Beta 3 Candidate: zypper fails with flag no-refresh twice - salt pkg.installed sets this flag twice</issue>
<issue tracker="bnc" id="1113296">zypper addlock will not lock "kernel-default"</issue>
<issue tracker="bnc" id="1123967">Inconsistent behavior when refreshing repositories</issue>
<issue tracker="bnc" id="663358">[zypper] can not install src rpm available on the local disk</issue>
<issue tracker="bnc" id="1119820">SOLVER_FLAG_ONLY_NAMESPACE_RECOMMENDED seems to break kiwi image generation</issue>
<issue tracker="bnc" id="1124897">[Build 20190208] openQA test fails in chrome</issue>
<issue tracker="fate" id="326451"/>
<issue tracker="fate" id="325599"/>
<issue tracker="fate" id="325513"/>
<issue tracker="bnc" id="1118758">Please define SYSTEMD_OFFLINE=1 when managing packages inside a chroot</issue>
<issue tracker="bnc" id="1115341">[Build 20181108] openQA test fails in yast2_i</issue>
<issue tracker="bnc" id="1065022">Wrong "File '/media.1/media' not found on medium" error message when package download fails</issue>
<issue tracker="bnc" id="1122471">zypper --root gets confused if rpm is uninstalled</issue>
<issue tracker="bnc" id="1113296">zypper addlock will not lock "kernel-default"</issue>
<issue tracker="bnc" id="978193">zypper falsely accuses user</issue>
<issue tracker="bnc" id="1116840">zypper fails with 'Bad input stream'</issue>
<issue tracker="bnc" id="1099019">libzypp: remove world-readable bit from /var/log/zypp</issue>
<issue tracker="bnc" id="1130161">Unusual high memory usage while zypper is executing inside of lxc</issue>
<issue tracker="bnc" id="965786">expired regcode reports permission denied</issue>
<issue tracker="bnc" id="1127026">L3: yast coredumped on mac client</issue>
<issue tracker="bnc" id="1114908">zypper --plus-content does not work as expected</issue>
<issue tracker="bnc" id="1127220">[libgpgme] gpgme_op_import issue when signal is received (e.g. CTRL-C in zypper)</issue>
<issue tracker="bnc" id="1112911">L3-Question: zypper locks display is broken</issue>
<issue tracker="bnc" id="1123843">zypper ps always shows 3 programs with memfd errors</issue>
<issue id="1120629" tracker="bnc">VUL-1: CVE-2018-20532: libsolv: NULL pointer dereference at ext/testcase.c (function testcase_read)</issue>
<issue id="1120630" tracker="bnc">VUL-1: CVE-2018-20533: libsolv: NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a</issue>
<issue id="1120631" tracker="bnc">VUL-1: CVE-2018-20534: libsolv: illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a</issue>
<issue id="1131823" tracker="bnc">[SLES15SP1][Build 208.1] Virtualization host upgrade from SLES-15 to SLES-15-SP1 finished with wrong product name shown up</issue>
<issue id="1137977" tracker="bnc">zypper rm -t pattern not removing all packages within the pattern</issue>
<issue id="2018-20532" tracker="cve" />
<issue id="2018-20533" tracker="cve" />
<issue id="2018-20534" tracker="cve" />
<issue tracker="fate" id="326451"/>
<issue tracker="fate" id="325513"/>
<issue tracker="fate" id="323785"/>
<category>security</category>
<rating>moderate</rating>
<packager>mlandres</packager>
<description>This update for libzypp and libsolv fixes the following issues:
Security issues fixed:
- CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
- CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
- CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).
Fixed bugs and enhancements:
- make cleandeps jobs on patterns work (bnc#1137977)
- Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
- Virtualization host upgrade from SLES-15 to SLES-15-SP1 finished with wrong product name shown up (bsc#1131823).
- Copy pattern categories from the rpm that defines the pattern (fate#323785).
- Enhance scanning /sys for modaliases (bsc#1130161).
- Prevent SEGV if the application sets an empty TextLocale (bsc#1127026).
- Handle libgpgme error when gpg key is not completely read and user hits CTRL + C (bsc#1127220).
- Added a hint when registration codes have expired (bsc#965786).
- Adds a better handling of an error when verifying any repository medium (bsc#1065022).
- Will now only write type field when probing (bsc#1114908).
- Fixes an issue where zypper has showed the info message 'Installation aborted by user' while the installation was aborted by wicked (bsc#978193).
- Suppresses reporting `/memfd:` pseudo files (bsc#1123843).
- Fixes an issue where zypper was not able to install or uninstall packages when rpm is unavailable (bsc#1122471).
- Fixes an issue where locks were ignored (bsc#1113296).
- Simplify complex locks so zypper can display them (bsc#1112911).
- zypper will now set `SYSTEMD_OFFLINE=1` during chrooted commits (bsc#1118758).
- no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (fate#325513).
- Removes world-readable bit from /var/log/zypp (bsc#1099019).
- Does no longer fail service-refresh on a empty repoindex.xml (bsc#1116840).
- Fixes soname due to libsolv ABI changes (bsc#1115341).
- Add infrastructure to flag specific packages to trigger a reboot needed hint (fate#326451).
This update for zypper 1.14.27 fixes the following issues:
- bash-completion: add package completion for addlock (bsc#1047962)
- bash-completion: fix incorrect detection of command names (bsc#1049826)
- Offer to change the 'runSearchPackages' config option at the prompt
(bsc#1119373, FATE#325599)
- Prompt: provide a 'yes/no/always/never' prompt.
- Prompt: support "#NUM" as answer to select the NUMth option...
- Augeas: enable writing back changed option values (to ~/.zypper.conf)
- removelocale: fix segfault
- Move needs-restarting command to subpackage (fixes #254)
- Allow empty string as argument (bsc#1125415)
- Provide a way to delete cache for volatile repositories (bsc#1053177)
- Adapt to boost-1.69 requiring explicit casts tribool->bool (fixes #255)
- Show support status in info if not unknown (bsc#764147)
- Fix installing plain rpm files with `zypper in` (bsc#1124897)
- Show only required info in the summary in quiet mode (bsc#993025)
- Stay with legacy behavior and return ZYPPER_EXIT_INF_REBOOT_NEEDED
only for patches. We don't extend this return code to packages,
although they may also carry the 'reboot-needed' attribute. The
preferred way to test whether the system needs to be rebooted is
`zypper needs-rebooting`. (openSUSE/zypper#237)
- Skip repository on error (bsc#1123967)
- New commands for locale management: locales addlocale removelocale
Inspect and manipulate the systems `requested locales`, aka. the
languages software packages should try support by installing
translations, dictionaries and tools, as far as they are available.
- Don't throw, just warn if options are repeated (bsc#1123865)
- Fix detection whether stdout is a tty (happened too late)
- Fix broken --plus-content switch (fixes bsc#1123681)
- Fix broken --replacefiles switch (fixes bsc#1123137)
- Extend zypper source-install (fixes bsc#663358)
- Fix inconsistent results for search (bsc#1119873)
- Show reboot hint in zypper ps and summary (fixes bsc#1120263)
- Improve handling of partially locked packages (bsc#1113296)
- Fix wrong default values in help text (bsc#1121611)
- Fixed broken argument parsing for --reposd-dir (bsc#1122062)
- Fix wrong zypp::indeterminate use (bsc#1120463)
- CLI parser: fix broken initialization enforcing 'select by name'
(bsc#1119820)
- zypper.conf: [commit] autoAgreeWithLicenses {=false} (fixes #220)
- locks: Fix printing of versioned locks (bsc#1112911)
- locks: create and write versioned locks correctly (bsc#1112911)
- patch: --with update may implicitly assume --with-optional (bsc#1102261)
- no-recommends: Nevertheless consider resolver namespaces (hardware,
language,..supporting packages) (FATE#325513)
- Optionally run "zypper search-packages" after "search" (FATE#325599)
- zypper.conf: Add [search]runSearchPackages config variable.
- Don't iterate twice on --no-cd (bsc#1111319)
- zypper-log: Make it Python 3 compatible
- man: mention /etc/zypp/needreboot config file (fate#326451, fixes #140)
- Add `needs-restarting` shell script and manpage (fate#326451)
- Add zypper needs-rebooting command (fate#326451)
- Introduce new zypper command framefork. Migrated commands so far:
addlock addrepo addservice clean cleanlocks modifyrepo modifyservice
ps refresh refresh-services removelock removerepo removeservice
renamerepo repos services
- MediaChangeReport: fix https URLs causing 2 prompts on error
(bsc#1110542)
</description>
<summary>Security update for zypper, libzypp and libsolv</summary>
<zypp_restart_needed/>
</patchinfo>
