zypper-1.14.49-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11545 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z zypper-1.14.49-1.2 on GA media These are all security issues fixed in the zypper-1.14.49-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11545 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11545 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-7436/ SUSE CVE CVE-2017-7436 page https://www.suse.com/security/cve/CVE-2017-9269/ SUSE CVE CVE-2017-9269 page openSUSE Tumbleweed zypper-1.14.49-1.2 zypper-aptitude-1.14.49-1.2 zypper-log-1.14.49-1.2 zypper-needs-restarting-1.14.49-1.2 zypper-1.14.49-1.2 as a component of openSUSE Tumbleweed zypper-aptitude-1.14.49-1.2 as a component of openSUSE Tumbleweed zypper-log-1.14.49-1.2 as a component of openSUSE Tumbleweed zypper-needs-restarting-1.14.49-1.2 as a component of openSUSE Tumbleweed In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system. CVE-2017-7436 openSUSE Tumbleweed:zypper-1.14.49-1.2 openSUSE Tumbleweed:zypper-aptitude-1.14.49-1.2 openSUSE Tumbleweed:zypper-log-1.14.49-1.2 openSUSE Tumbleweed:zypper-needs-restarting-1.14.49-1.2 moderate 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7436.html CVE-2017-7436 https://bugzilla.suse.com/1008325 SUSE Bug 1008325 https://bugzilla.suse.com/1009127 SUSE Bug 1009127 https://bugzilla.suse.com/1038984 SUSE Bug 1038984 https://bugzilla.suse.com/1045735 SUSE Bug 1045735 In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content. CVE-2017-9269 openSUSE Tumbleweed:zypper-1.14.49-1.2 openSUSE Tumbleweed:zypper-aptitude-1.14.49-1.2 openSUSE Tumbleweed:zypper-log-1.14.49-1.2 openSUSE Tumbleweed:zypper-needs-restarting-1.14.49-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-9269.html CVE-2017-9269 https://bugzilla.suse.com/1038984 SUSE Bug 1038984 https://bugzilla.suse.com/1045735 SUSE Bug 1045735