Security update for libsolv, libzypp, zypper SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0255-1 Final 1 1 2020-02-27T13:19:04Z current 2020-02-27T13:19:04Z 2020-02-27T13:19:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libsolv, libzypp, zypper This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-255 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DEU3QUUM7SDENWAOTTIKYJWY3DTE244N/ E-Mail link for openSUSE-SU-2020:0255-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1135114 SUSE Bug 1135114 https://bugzilla.suse.com/1154804 SUSE Bug 1154804 https://bugzilla.suse.com/1154805 SUSE Bug 1154805 https://bugzilla.suse.com/1155198 SUSE Bug 1155198 https://bugzilla.suse.com/1155205 SUSE Bug 1155205 https://bugzilla.suse.com/1155298 SUSE Bug 1155298 https://bugzilla.suse.com/1155678 SUSE Bug 1155678 https://bugzilla.suse.com/1155819 SUSE Bug 1155819 https://bugzilla.suse.com/1156158 SUSE Bug 1156158 https://bugzilla.suse.com/1157377 SUSE Bug 1157377 https://bugzilla.suse.com/1158763 SUSE Bug 1158763 https://www.suse.com/security/cve/CVE-2019-18900/ SUSE CVE CVE-2019-18900 page openSUSE Leap 15.1 libsolv-demo-0.7.10-lp151.2.10.1 libsolv-devel-0.7.10-lp151.2.10.1 libsolv-tools-0.7.10-lp151.2.10.1 libzypp-17.19.0-lp151.2.10.1 libzypp-devel-17.19.0-lp151.2.10.1 libzypp-devel-doc-17.19.0-lp151.2.10.1 perl-solv-0.7.10-lp151.2.10.1 python-solv-0.7.10-lp151.2.10.1 python3-solv-0.7.10-lp151.2.10.1 ruby-solv-0.7.10-lp151.2.10.1 zypper-1.14.33-lp151.2.10.1 zypper-aptitude-1.14.33-lp151.2.10.1 zypper-log-1.14.33-lp151.2.10.1 zypper-needs-restarting-1.14.33-lp151.2.10.1 libsolv-demo-0.7.10-lp151.2.10.1 as a component of openSUSE Leap 15.1 libsolv-devel-0.7.10-lp151.2.10.1 as a component of openSUSE Leap 15.1 libsolv-tools-0.7.10-lp151.2.10.1 as a component of openSUSE Leap 15.1 libzypp-17.19.0-lp151.2.10.1 as a component of openSUSE Leap 15.1 libzypp-devel-17.19.0-lp151.2.10.1 as a component of openSUSE Leap 15.1 libzypp-devel-doc-17.19.0-lp151.2.10.1 as a component of openSUSE Leap 15.1 perl-solv-0.7.10-lp151.2.10.1 as a component of openSUSE Leap 15.1 python-solv-0.7.10-lp151.2.10.1 as a component of openSUSE Leap 15.1 python3-solv-0.7.10-lp151.2.10.1 as a component of openSUSE Leap 15.1 ruby-solv-0.7.10-lp151.2.10.1 as a component of openSUSE Leap 15.1 zypper-1.14.33-lp151.2.10.1 as a component of openSUSE Leap 15.1 zypper-aptitude-1.14.33-lp151.2.10.1 as a component of openSUSE Leap 15.1 zypper-log-1.14.33-lp151.2.10.1 as a component of openSUSE Leap 15.1 zypper-needs-restarting-1.14.33-lp151.2.10.1 as a component of openSUSE Leap 15.1 : Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions prior to 16.21.2-27.68.1. SUSE Linux Enterprise Server 12 libzypp versions prior to 16.21.2-2.45.1. SUSE Linux Enterprise Server 15 17.19.0-3.34.1. CVE-2019-18900 openSUSE Leap 15.1:libsolv-demo-0.7.10-lp151.2.10.1 openSUSE Leap 15.1:libsolv-devel-0.7.10-lp151.2.10.1 openSUSE Leap 15.1:libsolv-tools-0.7.10-lp151.2.10.1 openSUSE Leap 15.1:libzypp-17.19.0-lp151.2.10.1 openSUSE Leap 15.1:libzypp-devel-17.19.0-lp151.2.10.1 openSUSE Leap 15.1:libzypp-devel-doc-17.19.0-lp151.2.10.1 openSUSE Leap 15.1:perl-solv-0.7.10-lp151.2.10.1 openSUSE Leap 15.1:python-solv-0.7.10-lp151.2.10.1 openSUSE Leap 15.1:python3-solv-0.7.10-lp151.2.10.1 openSUSE Leap 15.1:ruby-solv-0.7.10-lp151.2.10.1 openSUSE Leap 15.1:zypper-1.14.33-lp151.2.10.1 openSUSE Leap 15.1:zypper-aptitude-1.14.33-lp151.2.10.1 openSUSE Leap 15.1:zypper-log-1.14.33-lp151.2.10.1 openSUSE Leap 15.1:zypper-needs-restarting-1.14.33-lp151.2.10.1 low 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DEU3QUUM7SDENWAOTTIKYJWY3DTE244N/ https://www.suse.com/security/cve/CVE-2019-18900.html CVE-2019-18900 https://bugzilla.suse.com/1158763 SUSE Bug 1158763