| Summary: | Update request: x11-server 1.19.5 for a regression + several CVEs | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Thomas Backlund <tmb> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, jim, smelror, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | x11-server | CVE: | |
| Status comment: | |||
|
Description
Thomas Backlund
2017-10-13 19:30:11 CEST
Hi. System: MGA6 x86_64 Using this update with Openbox without any issues after a complete reboot of my system. $ rpm -qa | grep x11-server x11-server-xnest-1.19.5-1.1.mga6 x11-server-common-1.19.5-1.1.mga6 x11-server-xwayland-1.19.5-1.1.mga6 x11-server-xorg-1.19.5-1.1.mga6 Only have systems with 1 monitor, so haven't seen the issue mentioned. Cheers, Stig CC:
(none) =>
smelror Fedora has issued an advisory for this today (October 17): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7PTJE7ZFQ6WA3TNLKJYRT5SI74CWC3ID/ Debian has issued an advisory for this on October 17: https://www.debian.org/security/2017/dsa-4000 It mentions two CVEs, CVE-2017-13721 and CVE-2017-13723, that Thomas didn't mention before. Do we have fixes for those? MGA6-32 on Asus A6000VM MATE No installation issues. Before the update I tried to replicate the issue with Firefox as mentioned above, using my beamer as secondary screen. The problem did not show up, but MATE played havoc with the screen settings. I needed several Crtl-Alt-Backspace operations to get back to a normal situation. After the update I checked normal operation of panel, menus and schortcuts and opened documents, pictures, music and videos all OK. CC:
(none) =>
herman.viaene (In reply to David Walser from comment #3) > Debian has issued an advisory for this on October 17: > https://www.debian.org/security/2017/dsa-4000 > It mentions two CVEs, CVE-2017-13721 and CVE-2017-13723, that Thomas didn't > mention before. Do we have fixes for those? This is important to know. Or can we expect an updated update? Should these CVEs be in the advisory? ---------------------------------- Using M6/64 XFCE x11-server-xorg-1.19.5-1.1.mga6 x11-server-xwayland-1.19.5-1.1.mga6 x11-server-common-1.19.5-1.1.mga6 without problems; but holding the OK for a bit. ----------------------------------------------- Have uploaded an advisory from comments 0, 2, 3. But *without* the 2 CVEs mentioned in comment 3 since I do not know whether they are covered by this update as it stands. If they are, please add them to the advisory. Keywords:
(none) =>
advisory (In reply to David Walser from comment #3) > Debian has issued an advisory for this on October 17: > https://www.debian.org/security/2017/dsa-4000 > > It mentions two CVEs, CVE-2017-13721 and CVE-2017-13723, that Thomas didn't > mention before. Do we have fixes for those? We did them as part of 1.19.4 update: https://advisories.mageia.org/MGASA-2017-0366.html Mageia release 6 (Official) for x86_64 4.9.56-desktop-1.mga6 Desktop: Gnome 3.24.2 Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz NVIDIA Corporation GK104 [GeForce GTX 770] RAM 15.35 GB -------------------------------------- 2560x1440 pixels (677x381 millimeters) -------------------------------------- Display Server: Mageia X.org 119.4 drivers: nvidia,v4l GLX Version: 4.5.0 NVIDIA 384.59 Installed all the components (some were already installed). Ran the updates. Logged out of GNOME. Logged into GNOME on Xorg and the desktop came up OK. Ran vlc to play a video. Viewed images. Logged in to another workstation on the LAN and played videos, viewed images and used firefox. The latter two responded to keyboard events fairly promptly as well as mouse clicks. That all looks fine. CC:
(none) =>
tarazed25 The starting point for the installation in the test reported in comment 7 was from a standpoint of the default login for GNOME. Testing was done by logging in to GNOME on Xorg. We should test the Wayland server also but is the default login for GNOME Wayland. If so it can be tested. Is it safe to assume that GNOME Classic runs under Wayland? This bug has nothing to do with Wayland. On mga6-64 plasma
Packages installed cleanly:
- x11-server-common-1.19.5-1.1.mga6.x86_64
- x11-server-xorg-1.19.5-1.1.mga6.x86_64
- x11-server-xwayland-1.19.5-1.1.mga6.x86_64
Played videos in VLC and flash-player, streaming on flash-player, YouTube videos.
Used LO .ods and odt files
No regressions noted
$ inxi -G
Graphics: Card: Intel HD Graphics 530
Display Server: Mageia X.org 119.5 drivers: v4l,intel Resolution: 1920x1080@60.00hz
GLX Renderer: Mesa DRI Intel HD Graphics 530 (Skylake GT2) GLX Version: 3.0 Mesa 17.1.5
Looks OK for mga6-64CC:
(none) =>
jim Re comment 9. So where does x11-xserver-xwayland come into this? Do we just ignore it? On mga6-32 in a vbox VM
packages installed cleanly;
x11-server-xwayland-1.19.5-1.1.mga6.i586
x11-server-xorg-1.19.5-1.1.mga6.i586
x11-server-common-1.19.5-1.1.mga6.i586
played videos; used LO
no regressions noted
$ inxi -G
Graphics: Card: InnoTek Systemberatung VirtualBox Graphics Adapter
Display Server: Mageia X.org 119.5 drivers: modesetting,v4l
GLX Renderer: Gallium 0.4 on llvmpipe (LLVM 3.9, 256 bits)
looks OK for mga6-32 in a vbox VM
Yes you can ignore xwayland, that's not what the CVEs are about. Also, we're primarily just concerned with the functionality of the X server. The testing looks decent: thanks James for your confirmations. Adding 2nd OK & validating. CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0401.html Resolution:
(none) =>
FIXED |