7021171: CVE-2017-7435, CVE-2017-7436 and CVE-2017-9269: libzypp-16.15.2 and higher will no longer automatically accept unsigned packages / repositories.

SUSE Linux Enterprise Desktop 12

SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)

SUSE Manager 3

SUSE Manager 3.1

Due to CVE-2017-7435, CVE-2017-7436 changes were made to the behaviour of libzypp to not allow unsigned packages or repositories by default.

In the case of SUSE Manager, for a short period of time, libzypp-16.15.(>=2) will silently accept unsigned packages if a repositories gpgcheck configuration is explicitly turned off, for example:

gpgcheck = 0

repo_gpgcheck = 0

pkg_gpgcheck = 1

With libzypp-16.16.* the above configuration will reject unsigned packages.

With zypper-1.13.31 the following new options will be available to manage the behaviour changes for adding and modifying repositories:

–gpgcheck (default: requires either signed repo or signed package)

gpgcheck = 1

(repo_gpgcheck/pkg_gpgcheck unset: follow zypp.conf)

–gpgcheck-strikt (requires signed package even for signed repos)

gpgcheck = 1

repo_gpgcheck = 1

pkg_gpgcheck = 1

–gpgcheck-allow-unsigned (allow repo and package to be unsigned)

gpgcheck = 1

repo_gpgcheck = 0

pkg_gpgcheck = 0

–gpgcheck-allow-unsigned-repo (allow repo to be unsigned)

gpgcheck = 1

repo_gpgcheck = 0

(pkg_gpgcheck unset: follow zypp.conf)

–gpgcheck-allow-unsigned-package (allow package to be unsigned)

gpgcheck = 1

(repo_gpgcheck unset: follow zypp.conf)

pkg_gpgcheck = 0

The changes were needed to address security issues related to CVE-2017-7435, CVE-2017-7436 and CVE-2017-9269.

In the case for SUSE Manager where customers add their own unsigned packages into repositories, these used to be accepted by default without any warning. With the newer libzypp version however a warning will be shown:

File ‘repomd.xml’ from repository ‘repo_name’ is unsigned, continue? [yes/no] (no):

and should it be a non-interactive run it will be declined by default.