This is public now as of today:
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23

CC: (none) => luigiwalser

Thierry has updated a bunch of stuff in Cauldron, hopefully fixing this.

Nothing has been uploaded for Mageia 2 yet, but Thierry did upload updates for libxi and libx11 for Mageia 3.  There's a lot more yet to come I assume.

Uploaded so far:
libx11_6-1.5.99.902-1.mga3
libx11_6-devel-1.5.99.902-1.mga3
libx11_6-static-devel-1.5.99.902-1.mga3
libx11-common-1.5.99.902-1.mga3
libx11-doc-1.5.99.902-1.mga3
libxi6-1.6.2.901-1.mga3
libxi-devel-1.6.2.901-1.mga3
libxi-static-devel-1.6.2.901-1.mga3

from Source RPMs:
libx11-1.5.99.902-1.mga3.src.rpm
libxi-1.6.2.901-1.mga3.src.rpm

CC: (none) => thierry.vignaud
Version: 2 => 3
Whiteboard: (none) => MGA2TOO

As well as the x11 chrome driver (x11-driver-video-openchrome).

For the other libraries, we'll need to pick fixes from GIT (http://cgit.freedesktop.org/)
Though they're should be new releases next week.

Thanks, don't want any packages to get lost.

Uploaded so far:
libx11_6-1.5.99.902-1.mga3
libx11_6-devel-1.5.99.902-1.mga3
libx11_6-static-devel-1.5.99.902-1.mga3
libx11-common-1.5.99.902-1.mga3
libx11-doc-1.5.99.902-1.mga3
libxi6-1.6.2.901-1.mga3
libxi-devel-1.6.2.901-1.mga3
libxi-static-devel-1.6.2.901-1.mga3
x11-driver-video-openchrome-0.3.3-1.mga3

from Source RPMs:
libx11-1.5.99.902-1.mga3.src.rpm
libxi-1.6.2.901-1.mga3.src.rpm
x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm

Debian has issued advisories for this on May 23:
http://www.debian.org/security/2013/dsa-2673
http://www.debian.org/security/2013/dsa-2674
http://www.debian.org/security/2013/dsa-2675
http://www.debian.org/security/2013/dsa-2676
http://www.debian.org/security/2013/dsa-2677
http://www.debian.org/security/2013/dsa-2678
http://www.debian.org/security/2013/dsa-2679
http://www.debian.org/security/2013/dsa-2680
http://www.debian.org/security/2013/dsa-2681
http://www.debian.org/security/2013/dsa-2682
http://www.debian.org/security/2013/dsa-2683
http://www.debian.org/security/2013/dsa-2684
http://www.debian.org/security/2013/dsa-2685
http://www.debian.org/security/2013/dsa-2686
http://www.debian.org/security/2013/dsa-2687
http://www.debian.org/security/2013/dsa-2688
http://www.debian.org/security/2013/dsa-2689
http://www.debian.org/security/2013/dsa-2690
http://www.debian.org/security/2013/dsa-2691
http://www.debian.org/security/2013/dsa-2692

This includes source packages:
libdmx, libxv, libxvmc, libxfixes, libxrender, mesa, xserver-xorg-video-openchrome, libxt, libxcursor, libxext, libxi, libxrandr, libxp, libxcb, libfs, libxres, libxtst, libxxf86dga, libxinerama, libxxf86vm

The initial libxvmc update had a regression, then was corrected:
http://lwn.net/Alerts/551797/

Given that mesa is included in that list, I suppose the mesa that Thierry also updated in {tainted,core}/updates_testing will be a part of this update.

Mesa packages uploaded:
mesa-9.1.3-1.mga3
libdricore1-9.1.3-1.mga3
libdricore1-devel-9.1.3-1.mga3
libmesagl1-9.1.3-1.mga3
libdri-drivers-9.1.3-1.mga3
libmesagl1-devel-9.1.3-1.mga3
libmesaegl1-9.1.3-1.mga3
libmesaegl1-devel-9.1.3-1.mga3
libosmesa8-9.1.3-1.mga3
libosmesa-devel-9.1.3-1.mga3
libglapi0-9.1.3-1.mga3
libglapi0-devel-9.1.3-1.mga3
libmesaglesv1_1-9.1.3-1.mga3
libmesaglesv1_1-devel-9.1.3-1.mga3
libmesaglesv2_2-9.1.3-1.mga3
libmesaglesv2_2-devel-9.1.3-1.mga3
libmesaopenvg1-9.1.3-1.mga3
libmesaopenvg1-devel-9.1.3-1.mga3
libllvmradeon9.1.3-9.1.3-1.mga3
libgbm1-9.1.3-1.mga3
libgbm1-devel-9.1.3-1.mga3
libwayland-egl1-9.1.3-1.mga3
libwayland-egl1-devel-9.1.3-1.mga3
libvdpau-driver-nouveau-9.1.3-1.mga3
libvdpau-driver-r300-9.1.3-1.mga3
libvdpau-driver-r600-9.1.3-1.mga3
libvdpau-driver-radeonsi-9.1.3-1.mga3
libvdpau-driver-softpipe-9.1.3-1.mga3
mesa-common-devel-9.1.3-1.mga3

from mesa-9.1.3-1.mga3.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/551694/

I just pushed the additional packages:
- libxfixes-5.0.1-1.mga3todo
- libfs-1.0.5-1.mga3
- libdmx-1.1.3-1.mga3

Thanks Thierry.

Uploaded this morning:
libdmx1-1.1.3-1.mga3
libdmx-devel-1.1.3-1.mga3
libdmx-static-devel-1.1.3-1.mga3
libfs6-1.0.5-1.mga3
libfs-devel-1.0.5-1.mga3
libfs-static-devel-1.0.5-1.mga3
libxfixes3-5.0.1-1.mga3
libxfixes3-devel-5.0.1-1.mga3
libxfixes3-static-devel-5.0.1-1.mga3
libxcursor1-1.1.14-1.mga3
libxcursor-devel-1.1.14-1.mga3
libxcursor-static-devel-1.1.14-1.mga3

from SRPMS:
libdmx-1.1.3-1.mga3.src.rpm
libfs-1.0.5-1.mga3.src.rpm
libxfixes-5.0.1-1.mga3.src.rpm
libxcursor-1.1.14-1.mga3.src.rpm

More uploaded by Thierry in the last couple days:
libdmx1-1.1.3-1.mga3
libdmx-devel-1.1.3-1.mga3
libdmx-static-devel-1.1.3-1.mga3
libfs6-1.0.5-1.mga3
libfs-devel-1.0.5-1.mga3
libfs-static-devel-1.0.5-1.mga3
libxfixes3-5.0.1-1.mga3
libxfixes3-devel-5.0.1-1.mga3
libxfixes3-static-devel-5.0.1-1.mga3
libxcursor1-1.1.14-1.mga3
libxcursor-devel-1.1.14-1.mga3
libxcursor-static-devel-1.1.14-1.mga3
libxp6-1.0.2-1.mga3
libxp-devel-1.0.2-1.mga3
libxp-static-devel-1.0.2-1.mga3
libxt6-1.1.4-1.mga3
libxt-devel-1.1.4-1.mga3
libxt-static-devel-1.1.4-1.mga3
libxres1-1.0.7-1.mga3
libxres1-devel-1.0.7-1.mga3
libxres1-static-devel-1.0.7-1.mga3
libxxf86vm1-1.1.3-1.mga3
libxxf86vm-devel-1.1.3-1.mga3
libxxf86vm-static-devel-1.1.3-1.mga3
libxxf86dga1-1.1.4-1.mga3
libxxf86dga-devel-1.1.4-1.mga3
libxxf86dga-static-devel-1.1.4-1.mga3
libxcb1-1.9.1-1.mga3
libxcb-devel-1.9.1-1.mga3
libxcb-static-devel-1.9.1-1.mga3
libxcb-doc-1.9.1-1.mga3
libxcb-composite0-1.9.1-1.mga3
libxcb-damage0-1.9.1-1.mga3
libxcb-dpms0-1.9.1-1.mga3
libxcb-dri2_0-1.9.1-1.mga3
libxcb-glx0-1.9.1-1.mga3
libxcb-randr0-1.9.1-1.mga3
libxcb-record0-1.9.1-1.mga3
libxcb-render0-1.9.1-1.mga3
libxcb-res0-1.9.1-1.mga3
libxcb-screensaver0-1.9.1-1.mga3
libxcb-shape0-1.9.1-1.mga3
libxcb-shm0-1.9.1-1.mga3
libxcb-sync0-1.9.1-1.mga3
libxcb-xevie0-1.9.1-1.mga3
libxcb-xf86dri0-1.9.1-1.mga3
libxcb-xfixes0-1.9.1-1.mga3
libxcb-xinerama0-1.9.1-1.mga3
libxcb-xprint0-1.9.1-1.mga3
libxcb-xtest0-1.9.1-1.mga3
libxcb-xv0-1.9.1-1.mga3
libxcb-xvmc0-1.9.1-1.mga3
libxinerama1-1.1.3-1.mga3
libxinerama1-devel-1.1.3-1.mga3
libxinerama1-static-devel-1.1.3-1.mga3
libxtst6-1.2.2-1.mga3
libxtst6-devel-1.2.2-1.mga3
libxtst6-static-devel-1.2.2-1.mga3

from SRPMS:
libdmx-1.1.3-1.mga3.src.rpm
libfs-1.0.5-1.mga3.src.rpm
libxfixes-5.0.1-1.mga3.src.rpm
libxcursor-1.1.14-1.mga3.src.rpm
libxp-1.0.2-1.mga3.src.rpm
libxt-1.1.4-1.mga3.src.rpm
libxres-1.0.7-1.mga3.src.rpm
libxxf86vm-1.1.3-1.mga3.src.rpm
libxxf86dga-1.1.4-1.mga3.src.rpm
libxcb-1.9.1-1.mga3.src.rpm
libxinerama-1.1.3-1.mga3.src.rpm
libxtst-1.2.2-1.mga3.src.rpm

Uploaded by Oden for Mageia 2:
libfs6-1.0.4-1.1.mga2
libfs-devel-1.0.4-1.1.mga2
libfs-static-devel-1.0.4-1.1.mga2

from libfs-1.0.4-1.1.mga2.src.rpm

Just to see where we're at, here's the list of packages needed with the current SRPM if it has already been fixed for Mageia 3:

libdmx - libdmx-1.1.3-1.mga3.src.rpm
libfs - libfs-1.0.5-1.mga3.src.rpm
libx11 - libx11-1.5.99.902-1.mga3.src.rpm
libxcb - libxcb-1.9.1-1.mga3.src.rpm
libxcursor - libxcursor-1.1.14-1.mga3.src.rpm
libxext - 
libxfixes - libxfixes-5.0.1-1.mga3.src.rpm
libxi - libxi-1.6.2.901-1.mga3.src.rpm
libxinerama - libxinerama-1.1.3-1.mga3.src.rpm
libxp - libxp-1.0.2-1.mga3.src.rpm
libxrandr - 
libxrender - 
libxres - libxres-1.0.7-1.mga3.src.rpm
libxt - libxt-1.1.4-1.mga3.src.rpm
libxtst - libxtst-1.2.2-1.mga3.src.rpm
libxv - 
libxvmc - 
libxxf86dga - libxxf86dga-1.1.4-1.mga3.src.rpm
libxxf86vm - libxxf86vm-1.1.3-1.mga3.src.rpm
mesa - mesa-9.1.3-1.mga3.src.rpm
openchrome - x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm

A few more built by Thierry this morning:
libxv1-1.0.8-1.mga3
libxv1-devel-1.0.8-1.mga3
libxv1-static-devel-1.0.8-1.mga3
libxrandr2-1.4.1-1.mga3
libxrandr2-devel-1.4.1-1.mga3
libxrandr2-static-devel-1.4.1-1.mga3
libxext6-1.3.2-1.mga3
libxext6-devel-1.3.2-1.mga3
libxext6-static-devel-1.3.2-1.mga3

from SRPMS:
libxv-1.0.8-1.mga3.src.rpm
libxrandr-1.4.1-1.mga3.src.rpm
libxext-1.3.2-1.mga3.src.rpm


Current status for Mageia 3:

libdmx - libdmx-1.1.3-1.mga3.src.rpm
libfs - libfs-1.0.5-1.mga3.src.rpm
libx11 - libx11-1.5.99.902-1.mga3.src.rpm
libxcb - libxcb-1.9.1-1.mga3.src.rpm
libxcursor - libxcursor-1.1.14-1.mga3.src.rpm
libxext - libxext-1.3.2-1.mga3.src.rpm
libxfixes - libxfixes-5.0.1-1.mga3.src.rpm
libxi - libxi-1.6.2.901-1.mga3.src.rpm
libxinerama - libxinerama-1.1.3-1.mga3.src.rpm
libxp - libxp-1.0.2-1.mga3.src.rpm
libxrandr - libxrandr-1.4.1-1.mga3.src.rpm
libxrender - 
libxres - libxres-1.0.7-1.mga3.src.rpm
libxt - libxt-1.1.4-1.mga3.src.rpm
libxtst - libxtst-1.2.2-1.mga3.src.rpm
libxv - libxv-1.0.8-1.mga3.src.rpm
libxvmc - 
libxxf86dga - libxxf86dga-1.1.4-1.mga3.src.rpm
libxxf86vm - libxxf86vm-1.1.3-1.mga3.src.rpm
mesa - mesa-9.1.3-1.mga3.src.rpm
openchrome - x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm

The libx11 update for Mageia 3 has been updated again:
libx11_6-1.6.0-1.mga3
libx11_6-devel-1.6.0-1.mga3
libx11_6-static-devel-1.6.0-1.mga3
libx11-common-1.6.0-1.mga3
libx11-doc-1.6.0-1.mga3

from libx11-1.6.0-1.mga3.src.rpm

RedHat has issued an advisory on June 3:
https://rhn.redhat.com/errata/RHSA-2013-0897.html

from http://lwn.net/Vulnerabilities/552862/

This update for Mesa fixes the CVE listed in the X.org advisory (CVE-2013-1993) as well as a new one, CVE-2013-1872.  It's not clear which versions of Mesa are affected, so we may have to address that one as well.

Thierry has built the last two packages for the Mageia 3 update:
libxrender1-0.9.8-1.mga3
libxrender1-devel-0.9.8-1.mga3
libxrender1-static-devel-0.9.8-1.mga3
libxvmc1-1.0.8-1.mga3
libxvmc1-devel-1.0.8-1.mga3
libxvmc1-static-devel-1.0.8-1.mga3

from SRPMS:
libxrender-0.9.8-1.mga3.src.rpm
libxvmc-1.0.8-1.mga3.src.rpm


Full SRPM list for Mageia 3 update:
libdmx - libdmx-1.1.3-1.mga3.src.rpm
libfs - libfs-1.0.5-1.mga3.src.rpm
libx11 - libx11-1.5.99.902-1.mga3.src.rpm
libxcb - libxcb-1.9.1-1.mga3.src.rpm
libxcursor - libxcursor-1.1.14-1.mga3.src.rpm
libxext - libxext-1.3.2-1.mga3.src.rpm
libxfixes - libxfixes-5.0.1-1.mga3.src.rpm
libxi - libxi-1.6.2.901-1.mga3.src.rpm
libxinerama - libxinerama-1.1.3-1.mga3.src.rpm
libxp - libxp-1.0.2-1.mga3.src.rpm
libxrandr - libxrandr-1.4.1-1.mga3.src.rpm
libxrender - libxrender-0.9.8-1.mga3.src.rpm
libxres - libxres-1.0.7-1.mga3.src.rpm
libxt - libxt-1.1.4-1.mga3.src.rpm
libxtst - libxtst-1.2.2-1.mga3.src.rpm
libxv - libxv-1.0.8-1.mga3.src.rpm
libxvmc - libxvmc-1.0.8-1.mga3.src.rpm
libxxf86dga - libxxf86dga-1.1.4-1.mga3.src.rpm
libxxf86vm - libxxf86vm-1.1.3-1.mga3.src.rpm
mesa - mesa-9.1.3-1.mga3.src.rpm
openchrome - x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm

(In reply to David Walser from comment #13)
> RedHat has issued an advisory on June 3:
> https://rhn.redhat.com/errata/RHSA-2013-0897.html
> 
> from http://lwn.net/Vulnerabilities/552862/
> 
> This update for Mesa fixes the CVE listed in the X.org advisory
> (CVE-2013-1993) as well as a new one, CVE-2013-1872.  It's not clear which
> versions of Mesa are affected, so we may have to address that one as well.

Thierry, Oden, anyone, does the above additional Mesa issue affect us?

CVE-2013-1872, CVE-2013-1993 has been fixed in mesa-8.0.5-1.1.mga2
CVE-2013-1872 has been fixed in mesa-9.1.3-1.1.mga3

Thanks Oden.  Now we have all we need for the Mageia 3 update but an advisory.

I'll file a new bug so it can go to QA.

Updated Mesa packages:
mesa-9.1.3-1.1.mga3
libdricore1-9.1.3-1.1.mga3
libdricore1-devel-9.1.3-1.1.mga3
libmesagl1-9.1.3-1.1.mga3
libdri-drivers-9.1.3-1.1.mga3
libmesagl1-devel-9.1.3-1.1.mga3
libmesaegl1-9.1.3-1.1.mga3
libmesaegl1-devel-9.1.3-1.1.mga3
libosmesa8-9.1.3-1.1.mga3
libosmesa-devel-9.1.3-1.1.mga3
libglapi0-9.1.3-1.1.mga3
libglapi0-devel-9.1.3-1.1.mga3
libmesaglesv1_1-9.1.3-1.1.mga3
libmesaglesv1_1-devel-9.1.3-1.1.mga3
libmesaglesv2_2-9.1.3-1.1.mga3
libmesaglesv2_2-devel-9.1.3-1.1.mga3
libmesaopenvg1-9.1.3-1.1.mga3
libmesaopenvg1-devel-9.1.3-1.1.mga3
libllvmradeon9.1.3-9.1.3-1.1.mga3
libgbm1-9.1.3-1.1.mga3
libgbm1-devel-9.1.3-1.1.mga3
libwayland-egl1-9.1.3-1.1.mga3
libwayland-egl1-devel-9.1.3-1.1.mga3
libvdpau-driver-nouveau-9.1.3-1.1.mga3
libvdpau-driver-r300-9.1.3-1.1.mga3
libvdpau-driver-r600-9.1.3-1.1.mga3
libvdpau-driver-radeonsi-9.1.3-1.1.mga3
libvdpau-driver-softpipe-9.1.3-1.1.mga3
mesa-common-devel-9.1.3-1.1.mga3

from mesa-9.1.3-1.1.mga3.src.rpm

Full SRPM list for Mageia 3 update:
libdmx - libdmx-1.1.3-1.mga3.src.rpm
libfs - libfs-1.0.5-1.mga3.src.rpm
libx11 - libx11-1.5.99.902-1.mga3.src.rpm
libxcb - libxcb-1.9.1-1.mga3.src.rpm
libxcursor - libxcursor-1.1.14-1.mga3.src.rpm
libxext - libxext-1.3.2-1.mga3.src.rpm
libxfixes - libxfixes-5.0.1-1.mga3.src.rpm
libxi - libxi-1.6.2.901-1.mga3.src.rpm
libxinerama - libxinerama-1.1.3-1.mga3.src.rpm
libxp - libxp-1.0.2-1.mga3.src.rpm
libxrandr - libxrandr-1.4.1-1.mga3.src.rpm
libxrender - libxrender-0.9.8-1.mga3.src.rpm
libxres - libxres-1.0.7-1.mga3.src.rpm
libxt - libxt-1.1.4-1.mga3.src.rpm
libxtst - libxtst-1.2.2-1.mga3.src.rpm
libxv - libxv-1.0.8-1.mga3.src.rpm
libxvmc - libxvmc-1.0.8-1.mga3.src.rpm
libxxf86dga - libxxf86dga-1.1.4-1.mga3.src.rpm
libxxf86vm - libxxf86vm-1.1.3-1.mga3.src.rpm
mesa - mesa-9.1.3-1.1.mga3.src.rpm
openchrome - x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm

The Mageia 2 update isn't close to being ready, but here's the current status.

Oden just posted an updated Mesa:
mesa-8.0.5-1.1.mga2
libmesagl1-8.0.5-1.1.mga2
libdri-drivers-8.0.5-1.1.mga2
libmesagl1-devel-8.0.5-1.1.mga2
libmesaglu1-8.0.5-1.1.mga2
libmesaglu1-devel-8.0.5-1.1.mga2
libmesaegl1-8.0.5-1.1.mga2
libmesaegl1-devel-8.0.5-1.1.mga2
libglapi0-8.0.5-1.1.mga2
libglapi0-devel-8.0.5-1.1.mga2
libmesaglesv1_1-8.0.5-1.1.mga2
libmesaglesv1_1-devel-8.0.5-1.1.mga2
libmesaglesv2_2-8.0.5-1.1.mga2
libmesaglesv2_2-devel-8.0.5-1.1.mga2
libmesaopenvg1-8.0.5-1.1.mga2
libmesaopenvg1-devel-8.0.5-1.1.mga2
libgbm1-8.0.5-1.1.mga2
libgbm1-devel-8.0.5-1.1.mga2
libwayland-egl1-8.0.5-1.1.mga2
libwayland-egl1-devel-8.0.5-1.1.mga2
mesa-common-devel-8.0.5-1.1.mga2

from mesa-8.0.5-1.1.mga2.src.rpm

Full SRPM list for Mageia 2 update:
libdmx - 
libfs - libfs-1.0.4-1.1.mga2.src.rpm
libx11 - 
libxcb - 
libxcursor - 
libxext - 
libxfixes - 
libxi - 
libxinerama - 
libxp - 
libxrandr - 
libxrender - 
libxres - 
libxt - 
libxtst - 
libxv - 
libxvmc - 
libxxf86dga - 
libxxf86vm - 
mesa - mesa-8.0.5-1.1.mga2.src.rpm
openchrome -

Bug 10565 has been filed for the Mageia 3 update.

Bug 10569 has been filed for the Mesa update only on Mageia 2.

List of remaining SRPMS for the Mageia 2 update:
libdmx - 
libfs - libfs-1.0.4-1.1.mga2.src.rpm
libx11 - 
libxcb - 
libxcursor - 
libxext - 
libxfixes - 
libxi - 
libxinerama - 
libxp - 
libxrandr - 
libxrender - 
libxres - 
libxt - 
libxtst - 
libxv - 
libxvmc - 
libxxf86dga - 
libxxf86vm - 
openchrome -

Mageia 3 was fixed in Bug 10565 and Bug 10569.

Closing this now due to Mageia 2 EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Status: NEW => RESOLVED
Version: 3 => 2
Resolution: (none) => OLD
Whiteboard: MGA2TOO => (none)