{"affected":[{"ecosystem_specific":{"binaries":[{"libzypp":"14.45.17-2.82.1","zypper":"1.11.70-2.69.2","zypper-log":"1.11.70-2.69.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12-LTSS","name":"libzypp","purl":"pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"14.45.17-2.82.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libzypp":"14.45.17-2.82.1","zypper":"1.11.70-2.69.2","zypper-log":"1.11.70-2.69.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12-LTSS","name":"zypper","purl":"pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.11.70-2.69.2"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for libzypp, zypper fixes the following issues:\n\nlibzypp security fixes:\n\n- PackageProvider: Validate delta rpms before caching\n  (bsc#1091624, bsc#1088705, CVE-2018-7685)\n- PackageProvider: Validate downloaded rpm package signatures before caching\n  (bsc#1091624, bsc#1088705, CVE-2018-7685)\n- Be sure bad packages do not stay in the cache (bsc#1045735, CVE-2017-9269)\n- Fix repo gpg check workflows, mainly for unsigned repos and packages\n  (bsc#1045735, bsc#1038984, CVE-2017-7435, CVE-2017-7436, CVE-2017-9269)\n\nlibzypp other changes/bugs fixed:\n\n- Update to version 14.45.17\n- RepoInfo: add enum GpgCheck for convenient gpgcheck mode handling (bsc#1045735)\n- repo refresh: Re-probe if the repository type changes (bsc#1048315)\n- Use common workflow for downloading packages and srcpackages. This includes a\n  common way of handling and reporting gpg signature and checks. (bsc#1037210)\n- PackageProvider: as well support downloading SrcPackage (for bsc#1037210)\n- Adapt to work with GnuPG 2.1.23 (bsc#1054088)\n- repo refresh: Re-probe if the repository type changes (bsc#1048315)\n- Handle http error 502 Bad Gateway in curl backend (bsc#1070851)\n- RepoManager: Explicitly request repo2solv to generate application pseudo\n  packages.\n- Prefer calling 'repo2solv' rather than 'repo2solv.sh'\n- libzypp-devel should not require cmake (bsc#1101349)\n- HardLocksFile: Prevent against empty commit without Target having been been\n  loaded (bsc#1096803)\n- Avoid zombie tar processes (bsc#1076192)\n- lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)\n\nzypper security fixes:\n\n- Improve signature check callback messages (bsc#1045735, CVE-2017-9269)\n- add/modify repo: Add options to tune the GPG check settings (bsc#1045735,\n  CVE-2017-9269)\n- Adapt download callback to report and handle unsigned packages (bsc#1038984,\n  CVE-2017-7436)\n\nzypper other changes/bugs fixed:\n\n- Update to version 1.11.70\n- Bugfix: Prevent ESC sequence strings from going out of scope (bsc#1092413)\n- XML <install-summary> attribute `packages-to-change` added (bsc#1102429)\n- man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)\n- ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)\n- do not recommend cron (bsc#1079334)\n","id":"SUSE-SU-2018:2688-1","modified":"2018-09-11T12:59:55Z","published":"2018-09-11T12:59:55Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20182688-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1036304"},{"type":"REPORT","url":"https://bugzilla.suse.com/1037210"},{"type":"REPORT","url":"https://bugzilla.suse.com/1038984"},{"type":"REPORT","url":"https://bugzilla.suse.com/1045735"},{"type":"REPORT","url":"https://bugzilla.suse.com/1048315"},{"type":"REPORT","url":"https://bugzilla.suse.com/1054088"},{"type":"REPORT","url":"https://bugzilla.suse.com/1070851"},{"type":"REPORT","url":"https://bugzilla.suse.com/1076192"},{"type":"REPORT","url":"https://bugzilla.suse.com/1079334"},{"type":"REPORT","url":"https://bugzilla.suse.com/1088705"},{"type":"REPORT","url":"https://bugzilla.suse.com/1091624"},{"type":"REPORT","url":"https://bugzilla.suse.com/1092413"},{"type":"REPORT","url":"https://bugzilla.suse.com/1096803"},{"type":"REPORT","url":"https://bugzilla.suse.com/1099847"},{"type":"REPORT","url":"https://bugzilla.suse.com/1100028"},{"type":"REPORT","url":"https://bugzilla.suse.com/1101349"},{"type":"REPORT","url":"https://bugzilla.suse.com/1102429"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7435"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7436"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-9269"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-7685"}],"related":["CVE-2017-7435","CVE-2017-7436","CVE-2017-9269","CVE-2018-7685"],"summary":"Security update for libzypp, zypper","upstream":["CVE-2017-7435","CVE-2017-7436","CVE-2017-9269","CVE-2018-7685"]}