{"affected":[{"ecosystem_specific":{"binaries":[{"libzypp":"15.25.17-46.22.1","zypper":"1.12.59-46.10.1","zypper-log":"1.12.59-46.10.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 12 SP1","name":"libzypp","purl":"pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.25.17-46.22.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libzypp":"15.25.17-46.22.1","zypper":"1.12.59-46.10.1","zypper-log":"1.12.59-46.10.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 12 SP1","name":"zypper","purl":"pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.12.59-46.10.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libzypp":"15.25.17-46.22.1","zypper":"1.12.59-46.10.1","zypper-log":"1.12.59-46.10.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12 SP1-LTSS","name":"libzypp","purl":"pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.25.17-46.22.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libzypp":"15.25.17-46.22.1","zypper":"1.12.59-46.10.1","zypper-log":"1.12.59-46.10.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12 SP1-LTSS","name":"zypper","purl":"pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.12.59-46.10.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for libzypp, zypper provides the following fixes:\n\nlibzypp security fixes:\n\n- CVE-2018-7685: Validate RPMs before caching (bsc#1091624, bsc#1088705)\n- CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735)\n- CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix repo gpg check workflows,\n  mainly for unsigned repos and packages (bsc#1045735, bsc#1038984)\n\nlibzypp changes:\n\n- RepoManager: Explicitly request repo2solv to generate application pseudo packages.\n- Prefer calling 'repo2solv' rather than 'repo2solv.sh'.\n- libzypp-devel should not require cmake. (bsc#1101349)\n- HardLocksFile: Prevent against empty commit without Target having been loaded. (bsc#1096803)\n- Avoid zombie tar processes. (bsc#1076192)\n- man: Make sure that '--config FILE' affects zypper.conf, not zypp.conf. (bsc#1100028)\n- ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413)\n- RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735)\n- repo refresh: Re-probe if the repository type changes (bsc#1048315)\n- Use common workflow for downloading packages and srcpackages. This includes a\n  common way of handling and reporting gpg signature and checks. (bsc#1037210)\n- PackageProvider: as well support downloading SrcPackage (for bsc#1037210)\n- Adapt to work with GnuPG 2.1.23 (bsc#1054088)\n  Use 'gpg --list-packets' to determine the keyid to verify a signature.\n- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)\n\nzypper security fixes:\n\n- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)\n- add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269)\n- Adapt download callback to report and handle unsigned packages (bsc#1038984, CVE-2017-7436)\n\nzypper changes:\n\n- download: fix crash when non-package types are passed as argument (bsc#1037210)\n- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)\n","id":"SUSE-SU-2018:2555-1","modified":"2018-08-30T06:44:57Z","published":"2018-08-30T06:44:57Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20182555-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1037210"},{"type":"REPORT","url":"https://bugzilla.suse.com/1038984"},{"type":"REPORT","url":"https://bugzilla.suse.com/1045735"},{"type":"REPORT","url":"https://bugzilla.suse.com/1048315"},{"type":"REPORT","url":"https://bugzilla.suse.com/1054088"},{"type":"REPORT","url":"https://bugzilla.suse.com/1070851"},{"type":"REPORT","url":"https://bugzilla.suse.com/1076192"},{"type":"REPORT","url":"https://bugzilla.suse.com/1088705"},{"type":"REPORT","url":"https://bugzilla.suse.com/1091624"},{"type":"REPORT","url":"https://bugzilla.suse.com/1092413"},{"type":"REPORT","url":"https://bugzilla.suse.com/1096803"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100028"},{"type":"REPORT","url":"https://bugzilla.suse.com/1101349"},{"type":"REPORT","url":"https://bugzilla.suse.com/1102429"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7435"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7436"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-9269"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-7685"}],"related":["CVE-2017-7435","CVE-2017-7436","CVE-2017-9269","CVE-2018-7685"],"summary":"Security update for libzypp, zypper","upstream":["CVE-2017-7435","CVE-2017-7436","CVE-2017-9269","CVE-2018-7685"]}