{"affected":[{"ecosystem_specific":{"binaries":[{"libsolv-devel":"0.6.35-3.5.2","libsolv-tools":"0.6.35-3.5.2","libzypp":"17.6.4-3.10.1","libzypp-devel":"17.6.4-3.10.1","python-solv":"0.6.35-3.5.2","zypper":"1.14.10-3.7.1","zypper-log":"1.14.10-3.7.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15","name":"libsolv","purl":"pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.6.35-3.5.2"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libsolv-devel":"0.6.35-3.5.2","libsolv-tools":"0.6.35-3.5.2","libzypp":"17.6.4-3.10.1","libzypp-devel":"17.6.4-3.10.1","python-solv":"0.6.35-3.5.2","zypper":"1.14.10-3.7.1","zypper-log":"1.14.10-3.7.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15","name":"libzypp","purl":"pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"17.6.4-3.10.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libsolv-devel":"0.6.35-3.5.2","libsolv-tools":"0.6.35-3.5.2","libzypp":"17.6.4-3.10.1","libzypp-devel":"17.6.4-3.10.1","python-solv":"0.6.35-3.5.2","zypper":"1.14.10-3.7.1","zypper-log":"1.14.10-3.7.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15","name":"zypper","purl":"pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.14.10-3.7.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"perl-solv":"0.6.35-3.5.2","python3-solv":"0.6.35-3.5.2","ruby-solv":"0.6.35-3.5.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15","name":"libsolv","purl":"pkg:rpm/suse/libsolv&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.6.35-3.5.2"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for libzypp, zypper, libsolv provides the following fixes:\n\nSecurity fixes in libzypp:\n\n- CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705)\n- CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)\n\nChanges in libzypp:\n\n- Update to version 17.6.4\n- Automatically fetch repository signing key from gpgkey url (bsc#1088037)\n- lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)\n- Check for not imported keys after multi key import from rpmdb (bsc#1096217)\n- Flags: make it std=c++14 ready\n- Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)\n- Show GPGME version in log\n- Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427)\n- RepoInfo::provideKey: add report telling where we look for missing keys.\n- Support listing gpgkey URLs in repo files (bsc#1088037)\n- Add new report to request user approval for importing a package key\n- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)\n- Add filesize check for downloads with known size (bsc#408814)\n- Removed superfluous space in translation (bsc#1102019)\n- Prevent the system from sleeping during a commit\n- RepoManager: Explicitly request repo2solv to generate application pseudo packages.\n- libzypp-devel should not require cmake (bsc#1101349)\n- Avoid zombies from ExternalProgram\n- Update ApiConfig\n- HardLocksFile: Prevent against empty commit without Target having\n  been been loaded (bsc#1096803)\n- lsof: use '-K i' if lsof supports it (bsc#1099847)\n- Add filesize check for downloads with known size (bsc#408814)\n- Fix detection of metalink downloads and prevent aborting if a metalink file\n  is larger than the expected data file.\n- Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)\n- Make use of %license macro (bsc#1082318)\n\nSecurity fix in zypper:\n\n- CVE-2017-9269: Improve signature check callback messages (bsc#1045735)\n\nChanges in zypper:\n\n- Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103)\n- Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217)\n- Detect read only filesystem on system modifying operations (fixes #199)\n- Use %license (bsc#1082318)\n- Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178)\n- Fix broken display of detailed query results.\n- Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770)\n- Disable repository operations when searching installed packages. (bsc#1084525)\n- Prevent nested calls to exit() if aborted by a signal. (bsc#1092413)\n- ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413)\n- Fix some translation errors.\n- Support listing gpgkey URLs in repo files (bsc#1088037)\n- Check for root privileges in zypper verify and si (bsc#1058515)\n- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)\n- Add expert (allow-*) options to all installer commands (bsc#428822)\n- Sort search results by multiple columns (bsc#1066215)\n- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)\n- Set error status if repositories passed to lr and ref are not known (bsc#1093103)\n- Do not override table style in search\n- Fix out of bound read in MbsIterator\n- Add --supplements switch to search and info\n- Add setter functions for zypp cache related config values to ZConfig\n\nChanges in libsolv:\n\n- convert repo2solv.sh script into a binary tool\n- Make use of %license macro (bsc#1082318)\n","id":"SUSE-SU-2018:2690-1","modified":"2018-09-11T13:50:37Z","published":"2018-09-11T13:50:37Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20182690-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1036304"},{"type":"REPORT","url":"https://bugzilla.suse.com/1041178"},{"type":"REPORT","url":"https://bugzilla.suse.com/1043166"},{"type":"REPORT","url":"https://bugzilla.suse.com/1045735"},{"type":"REPORT","url":"https://bugzilla.suse.com/1058515"},{"type":"REPORT","url":"https://bugzilla.suse.com/1066215"},{"type":"REPORT","url":"https://bugzilla.suse.com/1070770"},{"type":"REPORT","url":"https://bugzilla.suse.com/1070851"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082318"},{"type":"REPORT","url":"https://bugzilla.suse.com/1084525"},{"type":"REPORT","url":"https://bugzilla.suse.com/1088037"},{"type":"REPORT","url":"https://bugzilla.suse.com/1088705"},{"type":"REPORT","url":"https://bugzilla.suse.com/1091624"},{"type":"REPORT","url":"https://bugzilla.suse.com/1092413"},{"type":"REPORT","url":"https://bugzilla.suse.com/1093103"},{"type":"REPORT","url":"https://bugzilla.suse.com/1096217"},{"type":"REPORT","url":"https://bugzilla.suse.com/1096617"},{"type":"REPORT","url":"https://bugzilla.suse.com/1096803"},{"type":"REPORT","url":"https://bugzilla.suse.com/1099847"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100028"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100095"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100427"},{"type":"REPORT","url":"https://bugzilla.suse.com/1101349"},{"type":"REPORT","url":"https://bugzilla.suse.com/1102019"},{"type":"REPORT","url":"https://bugzilla.suse.com/1102429"},{"type":"REPORT","url":"https://bugzilla.suse.com/408814"},{"type":"REPORT","url":"https://bugzilla.suse.com/428822"},{"type":"REPORT","url":"https://bugzilla.suse.com/907538"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-9269"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-7685"}],"related":["CVE-2017-9269","CVE-2018-7685"],"summary":"Security update for libzypp, zypper","upstream":["CVE-2017-9269","CVE-2018-7685"]}