Security update for libzypp, zypper SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0059-1 Final 1 1 2021-01-14T16:11:48Z current 2021-01-14T16:11:48Z 2021-01-14T16:11:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libzypp, zypper This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-59 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FB5G3FIS4OQH3FX723SLMBOC4P37HKHV/ E-Mail link for openSUSE-SU-2021:0059-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1050625 SUSE Bug 1050625 https://bugzilla.suse.com/1174016 SUSE Bug 1174016 https://bugzilla.suse.com/1177238 SUSE Bug 1177238 https://bugzilla.suse.com/1177275 SUSE Bug 1177275 https://bugzilla.suse.com/1177427 SUSE Bug 1177427 https://bugzilla.suse.com/1177583 SUSE Bug 1177583 https://bugzilla.suse.com/1178910 SUSE Bug 1178910 https://bugzilla.suse.com/1178966 SUSE Bug 1178966 https://bugzilla.suse.com/1179083 SUSE Bug 1179083 https://bugzilla.suse.com/1179222 SUSE Bug 1179222 https://bugzilla.suse.com/1179415 SUSE Bug 1179415 https://bugzilla.suse.com/1179909 SUSE Bug 1179909 https://www.suse.com/security/cve/CVE-2017-9271/ SUSE CVE CVE-2017-9271 page openSUSE Leap 15.2 libzypp-17.25.5-lp152.2.16.1 libzypp-devel-17.25.5-lp152.2.16.1 libzypp-devel-doc-17.25.5-lp152.2.16.1 yast2-installation-4.2.48-lp152.2.12.1 zypper-1.14.41-lp152.2.12.1 zypper-aptitude-1.14.41-lp152.2.12.1 zypper-log-1.14.41-lp152.2.12.1 zypper-needs-restarting-1.14.41-lp152.2.12.1 libzypp-17.25.5-lp152.2.16.1 as a component of openSUSE Leap 15.2 libzypp-devel-17.25.5-lp152.2.16.1 as a component of openSUSE Leap 15.2 libzypp-devel-doc-17.25.5-lp152.2.16.1 as a component of openSUSE Leap 15.2 yast2-installation-4.2.48-lp152.2.12.1 as a component of openSUSE Leap 15.2 zypper-1.14.41-lp152.2.12.1 as a component of openSUSE Leap 15.2 zypper-aptitude-1.14.41-lp152.2.12.1 as a component of openSUSE Leap 15.2 zypper-log-1.14.41-lp152.2.12.1 as a component of openSUSE Leap 15.2 zypper-needs-restarting-1.14.41-lp152.2.12.1 as a component of openSUSE Leap 15.2 The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used. CVE-2017-9271 openSUSE Leap 15.2:libzypp-17.25.5-lp152.2.16.1 openSUSE Leap 15.2:libzypp-devel-17.25.5-lp152.2.16.1 openSUSE Leap 15.2:libzypp-devel-doc-17.25.5-lp152.2.16.1 openSUSE Leap 15.2:yast2-installation-4.2.48-lp152.2.12.1 openSUSE Leap 15.2:zypper-1.14.41-lp152.2.12.1 openSUSE Leap 15.2:zypper-aptitude-1.14.41-lp152.2.12.1 openSUSE Leap 15.2:zypper-log-1.14.41-lp152.2.12.1 openSUSE Leap 15.2:zypper-needs-restarting-1.14.41-lp152.2.12.1 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FB5G3FIS4OQH3FX723SLMBOC4P37HKHV/ https://www.suse.com/security/cve/CVE-2017-9271.html CVE-2017-9271 https://bugzilla.suse.com/1050625 SUSE Bug 1050625