A libdnf security update has been released for openSUSE Leap 15.3.

openSUSE-SU-2021:2685-1: moderate: Security update for libdnf

openSUSE Security Update: Security update for libdnf
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:2685-1
Rating: moderate
References: #1183779
Cross-References: CVE-2021-20271 CVE-2021-3421 CVE-2021-3445

CVSS scores:
CVE-2021-20271 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-20271 (SUSE): 3.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L
CVE-2021-3421 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2021-3421 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE-2021-3445 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-3445 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for libdnf fixes the following issues:

- Fixed crash when loading DVD repositories

Update to 0.62.0

+ Change order of TransactionItemReason (rh#1921063)
+ Add two new comperators for security filters (rh#1918475)
+ Apply security filters for candidates with lower priority
+ Fix: Goal - translation of messages in global maps
+ Enhance description of modular solvables
+ Improve performance for module query
+ Change mechanism of modular errata applicability (rh#1804234)
+ dnf_transaction_commit(): Remove second call to rpmtsSetVSFlags
+ Fix a couple of memory leaks
+ Fix: Setting of librepo handle in newHandle function
+ Remove failsafe data when module is not enabled (rh#1847035)
+ Expose librepo's checksum functions via SWIG
+ Fix: Mising check of "hy_split_nevra()" return code
+ Do not allow 1 as installonly_limit value (rh#1926261)
+ Fix check whether the subkey can be used for signing
+ Hardening: add signature check with rpmcliVerifySignatures
(CVE-2021-3445, CVE-2021-3421, CVE-2021-20271, rh#1932079, rh#1932089,
rh#1932090, bsc#1183779)
+ Add a config option sslverifystatus, defaults to false (rh#1814383)
+ [context] Add API for distro-sync

- Fix dependency for repo-config-zypp subpackage to work with SLE

Update to 0.60.0

+ Fix repo.fresh() implementation
+ Fix: Fully set ssl in newHandle function
+ [conf] Add options for working with certificates used with proxy
+ Apply proxy certificate options
+ lock: Switch return-if-fail to assert to quiet gcc -fanalyzer
+ build-sys: Clean up message about Python bindings
+ Modify module NSVCA parsing - context definition (rh#1926771)
+ [context] Fix: dnf_package_is_installonly (rh#1928056)
+ Fix problematic language
+ Add getApplicablePackages to advisory and isApplicable to advisorymodule
+ Keep isAdvisoryApplicable to preserve API
+ Run ModulePackageContainerTest tests in tmpdir, merge interdependent
+ [context] Support config file option "proxy_auth_method", defaults "any"
+ Properly handle multiple collections in updateinfo.xml (rh#1804234)
+ Support main config file option "installonlypkgs"
+ Support main config file option "protected_packages"

- Add repo-config-zypp subpackage to allow easily using Zypper repository
configuration

- Backport support for using certificates for repository authorization
- Backport another fix for adding controls to installonlypkgs
- Add patch to move directory for dnf state data to /usr/lib/sysimage
- Backport fixes to add controls for installonlypkgs and protected_packages

Update to version 0.58.0

+ Option: Add reset() method
+ Add OptionBinds::getOption() method
+ [context] Add dnf_repo_conf_from_gkeyfile() and dnf_repo_conf_reset()
+ [context] Add support for options: minrate, throttle, bandwidth, timeout
+ [context] Remove g_key_file_get_string() from dnf_repo_set_keyfile_data()
+ Allow loading ext metadata even if only cache (solv) is present
+ Add ASAN_OPTIONS for test_libdnf_main
+ [context,API] Functions for accessing main/global configuration options
+ [context,API] Function for adding setopt
+ Add getter for modular obsoletes from ModuleMetadata
+ Add ModulePackage.getStaticContext() and getRequires()
+ Add compatible layer for MdDocuments v2
+ Fix modular queries with the new solver
+ Improve formatting of error string for modules
+ Change mechanism of module conflicts
+ Fix load/update FailSafe

Update to version 0.55.2

+ Improve performance of query installed() and available()
+ Swdb: Add a method to get the current transaction
+ [modules] Add special handling for src artifacts (rh#1809314)
+ Better msgs if "basecachedir" or "proxy_password" isn't set (rh#1888946)
+ Add new options module_stream_switch
+ Support allow_vendor_change setting in dnf context API

Update to version 0.55.0

+ Add vendor to dnf API (rh#1876561)
+ Add formatting function for solver error
+ Add error types in ModulePackageContainer
+ Implement module enable for context part
+ Improve string formatting for translation
+ Remove redundant printf and change logging info to notice (rh#1827424)
+ Add allow_vendor_change option (rh#1788371) (rh#1788371)

Update to version 0.54.2

+ history: Fix dnf history rollback when a package was removed (rh#1683134)
+ Add support for HY_GT, HY_LT in query nevra_strict
+ Fix parsing empty lines in config files
+ Accept '==' as an operator in reldeps (rh#1847946)
+ Add log file level main config option (rh#1802074)
+ Add protect_running_kernel configuration option (rh#1698145)
+ Context part of libdnf cannot assume zchunk is on (rh#1851841,
rh#1779104)
+ Fix memory leak of resultingModuleIndex and handle g_object refs
+ Redirect librepo logs to libdnf logs with different source
+ Add hy_goal_lock
+ Enum/String conversions for Transaction Store/Replay
+ utils: Add a method to decode URLs
+ Unify hawkey.log line format with the rest of the logs

Update to version 0.48.0

+ Add prereq_ignoreinst & regular_requires properties for pkg (rh#1543449)
+ Reset active modules when no module enabled or default (rh#1767351)
+ Add comment option to transaction (rh#1773679)
+ Failing to get module defauls is a recoverable error
+ Baseurl is not exclusive with mirrorlist/metalink (rh#1775184)
+ Add new function to reset all modules in C API
(dnf_context_reset_all_modules)
+ [context] Fix to preserve additionalMetadata content (rh#1808677)
+ Fix filtering of DepSolvables with source rpms (rh#1812596)
+ Add setter for running kernel protection setting
+ Handle situation when an unprivileged user cannot create history
database (rh#1634385)
+ Add query filter: latest by priority
+ Add DNF_NO_PROTECTED flag to allow empty list of protected packages
+ Remove 'dim' option from terminal colors to make them more readable
(rh#1807774, rh#1814563)
+ [context] Error when main config file can't be opened (rh#1794864)
+ [context] Add function function dnf_context_is_set_config_file_path
+ swdb: Catch only SQLite3 exceptions and simplify the messages
+ MergedTransaction list multiple comments (rh#1773679)
+ Modify CMake to pull *.po files from weblate
+ Optimize DependencyContainer creation from an existing queue
+ fix a memory leak in dnf_package_get_requires()
+ Fix memory leaks on g_build_filename()
+ Fix memory leak in dnf_context_setup()
+ Add `hy_goal_favor` and `hy_goal_disfavor`
+ Define a cleanup function for `DnfPackageSet`
+ dnf-repo: fix dnf_repo_get_public_keys double-free
+ Do not cache RPMDB
+ Use single-quotes around string literals used in SQL statements
+ SQLite3: Do not close the database if it wasn't opened (rh#1761976)
+ Don't create a new history DB connection for in-memory DB
+ transaction/Swdb: Use a single logger variable in constructor
+ utils: Add a safe version of pathExists()
+ swdb: Handle the case when pathExists() fails on e.g. permission
+ Repo: prepend "file://" if a local path is used as baseurl
+ Move urlEncode() to utils
+ utils: Add 'exclude' argument to urlEncode()
+ Encode package URL for downloading through librepo (rh#1817130)
+ Replace std::runtime_error with libdnf::RepoError
+ Fixes and error handling improvements of the File class
+ [context] Use ConfigRepo for gpgkey and baseurl (rh#1807864)
+ [context] support "priority" option in .repo config file (rh#1797265)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2021-2685=1


Package List:

- openSUSE Leap 15.3 (aarch64 i586 ppc64le s390x x86_64):

libdnf-debuginfo-0.62.0-5.3.1
libdnf-debugsource-0.62.0-5.3.1
libdnf-devel-0.62.0-5.3.1
libdnf-repo-config-zypp-0.62.0-5.3.1
libdnf2-0.62.0-5.3.1
libdnf2-debuginfo-0.62.0-5.3.1
python3-hawkey-0.62.0-5.3.1
python3-hawkey-debuginfo-0.62.0-5.3.1
python3-libdnf-0.62.0-5.3.1
python3-libdnf-debuginfo-0.62.0-5.3.1

- openSUSE Leap 15.3 (noarch):

hawkey-man-0.62.0-5.3.1

References:

  https://www.suse.com/security/cve/CVE-2021-20271.html
  https://www.suse.com/security/cve/CVE-2021-3421.html
  https://www.suse.com/security/cve/CVE-2021-3445.html
  https://bugzilla.suse.com/1183779