SUSE has issued an advisory today (January 13): http://lists.suse.com/pipermail/sle-security-updates/2020-January/006333.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
openSUSE has issued an advisory for this today (February 27): https://lists.opensuse.org/opensuse-updates/2020-02/msg00106.html
Debian-LTS has issued an advisory for this on March 3: https://www.debian.org/lts/security/2020/dla-2132
On Cauldron seems fixed in current 17.20.0 release.
CC: (none) => geiger.david68210
This issue is fixed from release 17.19.0 and higher.
Source RPM: libzypp-17.15.0-1.mga8.src.rpm => libzypp-17.9.0-1.mga7.src.rpmWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
Advisory: Libzypp from mageia 7 is affected by a security issue. This update fixes this. Incorrect Default Permissions vulnerability in libzypp allowed local attackers to read a cookie store used by libzypp, exposing private cookies. References: https://bugzilla.suse.com/show_bug.cgi?id=1158763 https://github.com/openSUSE/libzypp/pull/196 https://github.com/openSUSE/libzypp/commit/ea50981352bb5c7ab48663edaeb2df1ddd66953e https://github.com/openSUSE/libzypp/commit/508b1201f23b44ee90dee6dbbeb3ac5f8bd4c089 rpms: zypp-common-17.9.0-1.1.mga7 libzypp1709-17.9.0-1.1.mga7 libzypp-devel-17.9.0-1.1.mga7 libzypp-doc-17.9.0-1.1.mga7 from: libzypp-17.9.0-1.1.mga7
CC: (none) => mageiaAssignee: cjw => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. No previous update, so hunting around. # urpmq --whatrequires-recursive zypp-common lib64zypp-devel lib64zypp-devel lib64zypp1709 lib64zypp1709 libzypp-doc libzypp-doc zypp-common zypp-common zypper Installed zypper, but this a a complex command from what zypper -h shows. $ zypper -V zypper 1.14.16 $ zypper list-updates Loading repository data... Warning: No repositories defined. Operating only with the installed resolvables. Nothing can be installed. Reading installed packages... No updates found. Googling brings me https://www.thegeekstuff.com/2015/04/zypper-examples/ This seems SUSE exclusive stuff, so I wonder what it is doing in Mageia. Suggesting OK on clean install???
CC: (none) => herman.viaene
@Herman with respect to comment 6: If what is required is to test this within a SUSE subsystem then it does look like a lot of work, setting up repositories and all; dozens of them at https://download.opensuse.org/repositories/ with lots of subdivisions (SuseStudio has versions of Mandriva going way back). The bug seems to be about cookie based authentication and file permissions. Hard to see how to set up something to test that. $ locate zypp | grep etc | grep -vi fetch /etc/zypp /etc/dnf/aliases.d/zypper.conf /etc/logrotate.d/zypp-history.lr /etc/zypp/needreboot /etc/zypp/systemCheck /etc/zypp/zypp.conf The last file shows how complex a problem it would be to set things up. Nearly all the parameters are commented out. Conclusion - go ahead and release it.
CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK
If you two are in agreement, who am I to argue? ;-) Validating. Advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0245.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED