| Summary: | libxdmcp new security issue CVE-2017-2625 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, mageia, mageia, sysadmin-bugs |
| Version: | 5 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5-64-OK | ||
| Source RPM: | libxdmcp-1.1.2-4.mga6.src.rpm | CVE: | CVE-2017-2625 |
| Status comment: | |||
|
Description
David Walser
2017-03-01 12:20:47 CET
David Walser
2017-03-01 12:20:57 CET
Whiteboard:
(none) =>
MGA5TOO I added BR on libbsd-devel for cauldron: http://svnweb.mageia.org/packages?view=revision&revision=1088369 thierry, this is a fix for this CVE ? CC:
(none) =>
mageia
Nicolas Lécureuil
2017-05-03 23:37:54 CEST
CVE:
(none) =>
CVE-2017-2625 confirmed with debian, this fixes the CVE Version:
Cauldron =>
5 pushed in updates_testing for mageia 5 src.rpm: libxdmcp-1.1.1-7.1.mga5 Assignee:
thierry.vignaud =>
qa-bugs Advisory: ======================== Updated libxdmcp packages fix security vulnerability: XDM uses weak entropy to generate the session keys on non BSD systems. On multi user systems it might possible to check the PID of the process and how long it is running to get an estimate of these values, which could allow an attacker to attach to the session of a different user (CVE-2017-2625). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2625 https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ ======================== Updated packages in core/updates_testing: ======================== libxdmcp6-1.1.1-7.1.mga5 libxdmcp-devel-1.1.1-7.1.mga from libxdmcp-1.1.1-7.1.mga5.src.rpm MGA5-32 on Asus A6000VM Xfce No installation issues Under # urpmq --whatrequires libxdmcp6 I found gdm, kdm and xdm, so I rebooted and all went normal. Most of the other dependencies are servers, and I have no idea how to trace those. Someone else to jugde if this is suffucient to OK. CC:
(none) =>
herman.viaene Installed and tested without issues. Have this package installed for several days and javen't noticed any regressions. Tests included: - running KDM, xdm and Xorg as usual; - running multiple user sessions at the same time; - using xauth to copy a session MIT-MAGIC-COOKIE-1 to a remove machine and running some remote X11 applications; - X11 tunnelling through ssh. Didn't actually test a remote X11 session using XDMCP but the changes were related to MIT-MAGIC-COOKIE-1 so the tests should cover the changed code. System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver nvidia340. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ LANGUAGE=C rpm -q $( urpmq --whatrequires lib64xdmcp6 | sort -u) | grep -v "not installed" kdm-4.11.22-1.mga5 lib64xcb1-1.11.1-1.mga5 lib64xdmcp6-1.1.1-7.1.mga5 lib64xdmcp-devel-1.1.1-7.1.mga5 x11-server-xorg-1.16.4-2.2.mga5 xdm-1.1.11-14.mga5 CC:
(none) =>
mageia
Lewis Smith
2017-09-06 11:42:14 CEST
Whiteboard:
MGA5-64-OK =>
MGA5-64-OK advisory Moving 'advisory' from whiteboard to keywords now that madb has been updated to handle that keyword. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0330.html Status:
NEW =>
RESOLVED |