openSUSE Security Update : libzypp / zypper (openSUSE-2019-685)

critical Nessus Plugin ID 123296

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for libzypp, zypper, libsolv provides the following fixes :

Security fixes in libzypp :

- CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705)

- CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)

Changes in libzypp :

- Update to version 17.6.4

- Automatically fetch repository signing key from gpgkey url (bsc#1088037)

- lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304)

- Check for not imported keys after multi key import from rpmdb (bsc#1096217)

- Flags: make it std=c++14 ready

- Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617)

- Show GPGME version in log

- Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427)

- RepoInfo::provideKey: add report telling where we look for missing keys.

- Support listing gpgkey URLs in repo files (bsc#1088037)

- Add new report to request user approval for importing a package key

- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)

- Add filesize check for downloads with known size (bsc#408814)

- Removed superfluous space in translation (bsc#1102019)

- Prevent the system from sleeping during a commit

- RepoManager: Explicitly request repo2solv to generate application pseudo packages.

- libzypp-devel should not require cmake (bsc#1101349)

- Avoid zombies from ExternalProgram

- Update ApiConfig

- HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803)

- lsof: use '-K i' if lsof supports it (bsc#1099847)

- Add filesize check for downloads with known size (bsc#408814)

- Fix detection of metalink downloads and prevent aborting if a metalink file is larger than the expected data file.

- Require libsolv-devel >= 0.6.35 during build (fixing bsc#1100095)

- Make use of %license macro (bsc#1082318)

Security fix in zypper :

- CVE-2017-9269: Improve signature check callback messages (bsc#1045735)

Changes in zypper :

- Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103)

- Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217)

- Detect read only filesystem on system modifying operations (fixes #199)

- Use %license (bsc#1082318)

- Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178)

- Fix broken display of detailed query results.

- Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770)

- Disable repository operations when searching installed packages. (bsc#1084525)

- Prevent nested calls to exit() if aborted by a signal.
(bsc#1092413)

- ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413)

- Fix some translation errors.

- Support listing gpgkey URLs in repo files (bsc#1088037)

- Check for root privileges in zypper verify and si (bsc#1058515)

- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)

- Add expert (allow-*) options to all installer commands (bsc#428822)

- Sort search results by multiple columns (bsc#1066215)

- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)

- Set error status if repositories passed to lr and ref are not known (bsc#1093103)

- Do not override table style in search

- Fix out of bound read in MbsIterator

- Add --supplements switch to search and info

- Add setter functions for zypp cache related config values to ZConfig

Changes in libsolv :

- convert repo2solv.sh script into a binary tool

- Make use of %license macro (bsc#1082318)

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected libzypp / zypper packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1036304

https://bugzilla.opensuse.org/show_bug.cgi?id=1041178

https://bugzilla.opensuse.org/show_bug.cgi?id=1045735

https://bugzilla.opensuse.org/show_bug.cgi?id=1058515

https://bugzilla.opensuse.org/show_bug.cgi?id=1066215

https://bugzilla.opensuse.org/show_bug.cgi?id=1070770

https://bugzilla.opensuse.org/show_bug.cgi?id=1070851

https://bugzilla.opensuse.org/show_bug.cgi?id=1082318

https://bugzilla.opensuse.org/show_bug.cgi?id=1084525

https://bugzilla.opensuse.org/show_bug.cgi?id=1088037

https://bugzilla.opensuse.org/show_bug.cgi?id=1088705

https://bugzilla.opensuse.org/show_bug.cgi?id=1091624

https://bugzilla.opensuse.org/show_bug.cgi?id=1092413

https://bugzilla.opensuse.org/show_bug.cgi?id=1093103

https://bugzilla.opensuse.org/show_bug.cgi?id=1043166

https://bugzilla.opensuse.org/show_bug.cgi?id=1096217

https://bugzilla.opensuse.org/show_bug.cgi?id=1096617

https://bugzilla.opensuse.org/show_bug.cgi?id=1096803

https://bugzilla.opensuse.org/show_bug.cgi?id=1099847

https://bugzilla.opensuse.org/show_bug.cgi?id=1100028

https://bugzilla.opensuse.org/show_bug.cgi?id=1100095

https://bugzilla.opensuse.org/show_bug.cgi?id=1100427

https://bugzilla.opensuse.org/show_bug.cgi?id=1101349

https://bugzilla.opensuse.org/show_bug.cgi?id=1102019

https://bugzilla.opensuse.org/show_bug.cgi?id=1102429

https://bugzilla.opensuse.org/show_bug.cgi?id=408814

https://bugzilla.opensuse.org/show_bug.cgi?id=428822

https://bugzilla.opensuse.org/show_bug.cgi?id=907538

Plugin Details

Severity: Critical

ID: 123296

File Name: openSUSE-2019-685.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/27/2019

Updated: 6/11/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-9269

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python-solv, cpe:/o:novell:opensuse:15.0, p-cpe:/a:novell:opensuse:perl-solv-debuginfo, p-cpe:/a:novell:opensuse:libzypp, p-cpe:/a:novell:opensuse:libsolv-debuginfo, p-cpe:/a:novell:opensuse:libsolv-devel-debuginfo, p-cpe:/a:novell:opensuse:ruby-solv, p-cpe:/a:novell:opensuse:python3-solv, p-cpe:/a:novell:opensuse:libzypp-devel, p-cpe:/a:novell:opensuse:zypper-aptitude, p-cpe:/a:novell:opensuse:libsolv-demo, p-cpe:/a:novell:opensuse:libzypp-debugsource, p-cpe:/a:novell:opensuse:ruby-solv-debuginfo, p-cpe:/a:novell:opensuse:libsolv-debugsource, p-cpe:/a:novell:opensuse:libsolv-demo-debuginfo, p-cpe:/a:novell:opensuse:python3-solv-debuginfo, p-cpe:/a:novell:opensuse:zypper-debuginfo, p-cpe:/a:novell:opensuse:python-solv-debuginfo, p-cpe:/a:novell:opensuse:libzypp-debuginfo, p-cpe:/a:novell:opensuse:libsolv-devel, p-cpe:/a:novell:opensuse:libsolv-tools, p-cpe:/a:novell:opensuse:zypper-log, p-cpe:/a:novell:opensuse:perl-solv, p-cpe:/a:novell:opensuse:libsolv-tools-debuginfo, p-cpe:/a:novell:opensuse:zypper, p-cpe:/a:novell:opensuse:zypper-debugsource

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/23/2019

Vulnerability Publication Date: 3/1/2018

Reference Information

CVE: CVE-2017-9269, CVE-2018-7685