OPENSUSE-SU-2022:1157-1
Vulnerability from csaf_opensuse - Published: 2022-07-14 09:34 - Updated: 2022-07-14 09:34Summary
Security update for libsolv, libzypp, zypper
Notes
Title of the patch
Security update for libsolv, libzypp, zypper
Description of the patch
This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:
- Harden package signature checks (bsc#1184501).
libsolv update to 0.7.22:
- reworked choice rule generation to cover more usecases
- support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
- support parsing of Debian's Multi-Arch indicator
- fix segfault on conflict resolution when using bindings
- fix split provides not working if the update includes a forbidden vendor change
- support strict repository priorities
new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
- support zstd compressed control files in debian packages
- add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
- support setting/reading userdata in solv files
new functions: repowriter_set_userdata, solv_read_userdata
- support queying of the custom vendor check function
new function: pool_get_custom_vendorcheck
- support solv files with an idarray block
- allow accessing the toolversion at runtime
libzypp update to 17.30.0:
- ZConfig: Update solver settings if target changes (bsc#1196368)
- Fix possible hang in singletrans mode (bsc#1197134)
- Do 2 retries if mount is still busy.
- Fix package signature check (bsc#1184501)
Pay attention that header and payload are secured by a valid
signature and report more detailed which signature is missing.
- Retry umount if device is busy (bsc#1196061, closes #381)
A previously released ISO image may need a bit more time to
release it's loop device. So we wait a bit and retry.
- Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
- Fix handling of ISO media in releaseAll (bsc#1196061)
- Hint on common ptf resolver conflicts (bsc#1194848)
- Hint on ptf<>patch resolver conflicts (bsc#1194848)
zypper update to 1.14.52:
- info: print the packages upstream URL if available (fixes #426)
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- Don't prevent less restrictive umasks (bsc#1195999)
Patchnames
openSUSE-Leap-Micro-5.2-2022-1157
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for libsolv, libzypp, zypper",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for libsolv, libzypp, zypper fixes the following issues:\n\nSecurity relevant fix:\n\n- Harden package signature checks (bsc#1184501).\n\nlibsolv update to 0.7.22:\n\n- reworked choice rule generation to cover more usecases\n- support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)\n- support parsing of Debian\u0027s Multi-Arch indicator\n- fix segfault on conflict resolution when using bindings\n- fix split provides not working if the update includes a forbidden vendor change\n- support strict repository priorities\n new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY\n- support zstd compressed control files in debian packages\n- add an ifdef allowing to rename Solvable dependency members (\u0027requires\u0027 is a keyword in C++20)\n- support setting/reading userdata in solv files\n new functions: repowriter_set_userdata, solv_read_userdata\n- support queying of the custom vendor check function\n new function: pool_get_custom_vendorcheck\n- support solv files with an idarray block\n- allow accessing the toolversion at runtime\n\nlibzypp update to 17.30.0:\n\n- ZConfig: Update solver settings if target changes (bsc#1196368)\n- Fix possible hang in singletrans mode (bsc#1197134)\n- Do 2 retries if mount is still busy.\n- Fix package signature check (bsc#1184501)\n Pay attention that header and payload are secured by a valid\n signature and report more detailed which signature is missing.\n- Retry umount if device is busy (bsc#1196061, closes #381)\n A previously released ISO image may need a bit more time to\n release it\u0027s loop device. So we wait a bit and retry.\n- Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)\n- Fix handling of ISO media in releaseAll (bsc#1196061)\n- Hint on common ptf resolver conflicts (bsc#1194848)\n- Hint on ptf\u003c\u003epatch resolver conflicts (bsc#1194848)\n\nzypper update to 1.14.52:\n\n- info: print the packages upstream URL if available (fixes #426)\n- info: Fix SEGV with not installed PTFs (bsc#1196317)\n- Don\u0027t prevent less restrictive umasks (bsc#1195999)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-Micro-5.2-2022-1157",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_1157-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:1157-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AYJVCDZFHL3RLKSFHF4ITKBC25PHGJ5K/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:1157-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AYJVCDZFHL3RLKSFHF4ITKBC25PHGJ5K/"
},
{
"category": "self",
"summary": "SUSE Bug 1184501",
"url": "https://bugzilla.suse.com/1184501"
},
{
"category": "self",
"summary": "SUSE Bug 1194848",
"url": "https://bugzilla.suse.com/1194848"
},
{
"category": "self",
"summary": "SUSE Bug 1195999",
"url": "https://bugzilla.suse.com/1195999"
},
{
"category": "self",
"summary": "SUSE Bug 1196061",
"url": "https://bugzilla.suse.com/1196061"
},
{
"category": "self",
"summary": "SUSE Bug 1196317",
"url": "https://bugzilla.suse.com/1196317"
},
{
"category": "self",
"summary": "SUSE Bug 1196368",
"url": "https://bugzilla.suse.com/1196368"
},
{
"category": "self",
"summary": "SUSE Bug 1196514",
"url": "https://bugzilla.suse.com/1196514"
},
{
"category": "self",
"summary": "SUSE Bug 1196925",
"url": "https://bugzilla.suse.com/1196925"
},
{
"category": "self",
"summary": "SUSE Bug 1197134",
"url": "https://bugzilla.suse.com/1197134"
}
],
"title": "Security update for libsolv, libzypp, zypper",
"tracking": {
"current_release_date": "2022-07-14T09:34:29Z",
"generator": {
"date": "2022-07-14T09:34:29Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:1157-1",
"initial_release_date": "2022-07-14T09:34:29Z",
"revision_history": [
{
"date": "2022-07-14T09:34:29Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libsolv-tools-0.7.22-150200.12.1.aarch64",
"product": {
"name": "libsolv-tools-0.7.22-150200.12.1.aarch64",
"product_id": "libsolv-tools-0.7.22-150200.12.1.aarch64"
}
},
{
"category": "product_version",
"name": "libzypp-17.30.0-150200.36.1.aarch64",
"product": {
"name": "libzypp-17.30.0-150200.36.1.aarch64",
"product_id": "libzypp-17.30.0-150200.36.1.aarch64"
}
},
{
"category": "product_version",
"name": "zypper-1.14.52-150200.30.2.aarch64",
"product": {
"name": "zypper-1.14.52-150200.30.2.aarch64",
"product_id": "zypper-1.14.52-150200.30.2.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "zypper-needs-restarting-1.14.52-150200.30.2.noarch",
"product": {
"name": "zypper-needs-restarting-1.14.52-150200.30.2.noarch",
"product_id": "zypper-needs-restarting-1.14.52-150200.30.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "libsolv-tools-0.7.22-150200.12.1.x86_64",
"product": {
"name": "libsolv-tools-0.7.22-150200.12.1.x86_64",
"product_id": "libsolv-tools-0.7.22-150200.12.1.x86_64"
}
},
{
"category": "product_version",
"name": "libzypp-17.30.0-150200.36.1.x86_64",
"product": {
"name": "libzypp-17.30.0-150200.36.1.x86_64",
"product_id": "libzypp-17.30.0-150200.36.1.x86_64"
}
},
{
"category": "product_version",
"name": "zypper-1.14.52-150200.30.2.x86_64",
"product": {
"name": "zypper-1.14.52-150200.30.2.x86_64",
"product_id": "zypper-1.14.52-150200.30.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap Micro 5.2",
"product": {
"name": "openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap-micro:5.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "libsolv-tools-0.7.22-150200.12.1.aarch64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:libsolv-tools-0.7.22-150200.12.1.aarch64"
},
"product_reference": "libsolv-tools-0.7.22-150200.12.1.aarch64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libsolv-tools-0.7.22-150200.12.1.x86_64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:libsolv-tools-0.7.22-150200.12.1.x86_64"
},
"product_reference": "libsolv-tools-0.7.22-150200.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libzypp-17.30.0-150200.36.1.aarch64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:libzypp-17.30.0-150200.36.1.aarch64"
},
"product_reference": "libzypp-17.30.0-150200.36.1.aarch64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libzypp-17.30.0-150200.36.1.x86_64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:libzypp-17.30.0-150200.36.1.x86_64"
},
"product_reference": "libzypp-17.30.0-150200.36.1.x86_64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "zypper-1.14.52-150200.30.2.aarch64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:zypper-1.14.52-150200.30.2.aarch64"
},
"product_reference": "zypper-1.14.52-150200.30.2.aarch64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "zypper-1.14.52-150200.30.2.x86_64 as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:zypper-1.14.52-150200.30.2.x86_64"
},
"product_reference": "zypper-1.14.52-150200.30.2.x86_64",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "zypper-needs-restarting-1.14.52-150200.30.2.noarch as component of openSUSE Leap Micro 5.2",
"product_id": "openSUSE Leap Micro 5.2:zypper-needs-restarting-1.14.52-150200.30.2.noarch"
},
"product_reference": "zypper-needs-restarting-1.14.52-150200.30.2.noarch",
"relates_to_product_reference": "openSUSE Leap Micro 5.2"
}
]
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…