This is public now as of today: http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
CC: (none) => luigiwalser
Group: secteam => (none)
Thierry has updated a bunch of stuff in Cauldron, hopefully fixing this. Nothing has been uploaded for Mageia 2 yet, but Thierry did upload updates for libxi and libx11 for Mageia 3. There's a lot more yet to come I assume. Uploaded so far: libx11_6-1.5.99.902-1.mga3 libx11_6-devel-1.5.99.902-1.mga3 libx11_6-static-devel-1.5.99.902-1.mga3 libx11-common-1.5.99.902-1.mga3 libx11-doc-1.5.99.902-1.mga3 libxi6-1.6.2.901-1.mga3 libxi-devel-1.6.2.901-1.mga3 libxi-static-devel-1.6.2.901-1.mga3 from Source RPMs: libx11-1.5.99.902-1.mga3.src.rpm libxi-1.6.2.901-1.mga3.src.rpm
CC: (none) => thierry.vignaudVersion: 2 => 3Whiteboard: (none) => MGA2TOO
As well as the x11 chrome driver (x11-driver-video-openchrome). For the other libraries, we'll need to pick fixes from GIT (http://cgit.freedesktop.org/) Though they're should be new releases next week.
Thanks, don't want any packages to get lost. Uploaded so far: libx11_6-1.5.99.902-1.mga3 libx11_6-devel-1.5.99.902-1.mga3 libx11_6-static-devel-1.5.99.902-1.mga3 libx11-common-1.5.99.902-1.mga3 libx11-doc-1.5.99.902-1.mga3 libxi6-1.6.2.901-1.mga3 libxi-devel-1.6.2.901-1.mga3 libxi-static-devel-1.6.2.901-1.mga3 x11-driver-video-openchrome-0.3.3-1.mga3 from Source RPMs: libx11-1.5.99.902-1.mga3.src.rpm libxi-1.6.2.901-1.mga3.src.rpm x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm
Debian has issued advisories for this on May 23: http://www.debian.org/security/2013/dsa-2673 http://www.debian.org/security/2013/dsa-2674 http://www.debian.org/security/2013/dsa-2675 http://www.debian.org/security/2013/dsa-2676 http://www.debian.org/security/2013/dsa-2677 http://www.debian.org/security/2013/dsa-2678 http://www.debian.org/security/2013/dsa-2679 http://www.debian.org/security/2013/dsa-2680 http://www.debian.org/security/2013/dsa-2681 http://www.debian.org/security/2013/dsa-2682 http://www.debian.org/security/2013/dsa-2683 http://www.debian.org/security/2013/dsa-2684 http://www.debian.org/security/2013/dsa-2685 http://www.debian.org/security/2013/dsa-2686 http://www.debian.org/security/2013/dsa-2687 http://www.debian.org/security/2013/dsa-2688 http://www.debian.org/security/2013/dsa-2689 http://www.debian.org/security/2013/dsa-2690 http://www.debian.org/security/2013/dsa-2691 http://www.debian.org/security/2013/dsa-2692 This includes source packages: libdmx, libxv, libxvmc, libxfixes, libxrender, mesa, xserver-xorg-video-openchrome, libxt, libxcursor, libxext, libxi, libxrandr, libxp, libxcb, libfs, libxres, libxtst, libxxf86dga, libxinerama, libxxf86vm The initial libxvmc update had a regression, then was corrected: http://lwn.net/Alerts/551797/ Given that mesa is included in that list, I suppose the mesa that Thierry also updated in {tainted,core}/updates_testing will be a part of this update. Mesa packages uploaded: mesa-9.1.3-1.mga3 libdricore1-9.1.3-1.mga3 libdricore1-devel-9.1.3-1.mga3 libmesagl1-9.1.3-1.mga3 libdri-drivers-9.1.3-1.mga3 libmesagl1-devel-9.1.3-1.mga3 libmesaegl1-9.1.3-1.mga3 libmesaegl1-devel-9.1.3-1.mga3 libosmesa8-9.1.3-1.mga3 libosmesa-devel-9.1.3-1.mga3 libglapi0-9.1.3-1.mga3 libglapi0-devel-9.1.3-1.mga3 libmesaglesv1_1-9.1.3-1.mga3 libmesaglesv1_1-devel-9.1.3-1.mga3 libmesaglesv2_2-9.1.3-1.mga3 libmesaglesv2_2-devel-9.1.3-1.mga3 libmesaopenvg1-9.1.3-1.mga3 libmesaopenvg1-devel-9.1.3-1.mga3 libllvmradeon9.1.3-9.1.3-1.mga3 libgbm1-9.1.3-1.mga3 libgbm1-devel-9.1.3-1.mga3 libwayland-egl1-9.1.3-1.mga3 libwayland-egl1-devel-9.1.3-1.mga3 libvdpau-driver-nouveau-9.1.3-1.mga3 libvdpau-driver-r300-9.1.3-1.mga3 libvdpau-driver-r600-9.1.3-1.mga3 libvdpau-driver-radeonsi-9.1.3-1.mga3 libvdpau-driver-softpipe-9.1.3-1.mga3 mesa-common-devel-9.1.3-1.mga3 from mesa-9.1.3-1.mga3.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/551694/
I just pushed the additional packages: - libxfixes-5.0.1-1.mga3todo - libfs-1.0.5-1.mga3 - libdmx-1.1.3-1.mga3
Thanks Thierry. Uploaded this morning: libdmx1-1.1.3-1.mga3 libdmx-devel-1.1.3-1.mga3 libdmx-static-devel-1.1.3-1.mga3 libfs6-1.0.5-1.mga3 libfs-devel-1.0.5-1.mga3 libfs-static-devel-1.0.5-1.mga3 libxfixes3-5.0.1-1.mga3 libxfixes3-devel-5.0.1-1.mga3 libxfixes3-static-devel-5.0.1-1.mga3 libxcursor1-1.1.14-1.mga3 libxcursor-devel-1.1.14-1.mga3 libxcursor-static-devel-1.1.14-1.mga3 from SRPMS: libdmx-1.1.3-1.mga3.src.rpm libfs-1.0.5-1.mga3.src.rpm libxfixes-5.0.1-1.mga3.src.rpm libxcursor-1.1.14-1.mga3.src.rpm
More uploaded by Thierry in the last couple days: libdmx1-1.1.3-1.mga3 libdmx-devel-1.1.3-1.mga3 libdmx-static-devel-1.1.3-1.mga3 libfs6-1.0.5-1.mga3 libfs-devel-1.0.5-1.mga3 libfs-static-devel-1.0.5-1.mga3 libxfixes3-5.0.1-1.mga3 libxfixes3-devel-5.0.1-1.mga3 libxfixes3-static-devel-5.0.1-1.mga3 libxcursor1-1.1.14-1.mga3 libxcursor-devel-1.1.14-1.mga3 libxcursor-static-devel-1.1.14-1.mga3 libxp6-1.0.2-1.mga3 libxp-devel-1.0.2-1.mga3 libxp-static-devel-1.0.2-1.mga3 libxt6-1.1.4-1.mga3 libxt-devel-1.1.4-1.mga3 libxt-static-devel-1.1.4-1.mga3 libxres1-1.0.7-1.mga3 libxres1-devel-1.0.7-1.mga3 libxres1-static-devel-1.0.7-1.mga3 libxxf86vm1-1.1.3-1.mga3 libxxf86vm-devel-1.1.3-1.mga3 libxxf86vm-static-devel-1.1.3-1.mga3 libxxf86dga1-1.1.4-1.mga3 libxxf86dga-devel-1.1.4-1.mga3 libxxf86dga-static-devel-1.1.4-1.mga3 libxcb1-1.9.1-1.mga3 libxcb-devel-1.9.1-1.mga3 libxcb-static-devel-1.9.1-1.mga3 libxcb-doc-1.9.1-1.mga3 libxcb-composite0-1.9.1-1.mga3 libxcb-damage0-1.9.1-1.mga3 libxcb-dpms0-1.9.1-1.mga3 libxcb-dri2_0-1.9.1-1.mga3 libxcb-glx0-1.9.1-1.mga3 libxcb-randr0-1.9.1-1.mga3 libxcb-record0-1.9.1-1.mga3 libxcb-render0-1.9.1-1.mga3 libxcb-res0-1.9.1-1.mga3 libxcb-screensaver0-1.9.1-1.mga3 libxcb-shape0-1.9.1-1.mga3 libxcb-shm0-1.9.1-1.mga3 libxcb-sync0-1.9.1-1.mga3 libxcb-xevie0-1.9.1-1.mga3 libxcb-xf86dri0-1.9.1-1.mga3 libxcb-xfixes0-1.9.1-1.mga3 libxcb-xinerama0-1.9.1-1.mga3 libxcb-xprint0-1.9.1-1.mga3 libxcb-xtest0-1.9.1-1.mga3 libxcb-xv0-1.9.1-1.mga3 libxcb-xvmc0-1.9.1-1.mga3 libxinerama1-1.1.3-1.mga3 libxinerama1-devel-1.1.3-1.mga3 libxinerama1-static-devel-1.1.3-1.mga3 libxtst6-1.2.2-1.mga3 libxtst6-devel-1.2.2-1.mga3 libxtst6-static-devel-1.2.2-1.mga3 from SRPMS: libdmx-1.1.3-1.mga3.src.rpm libfs-1.0.5-1.mga3.src.rpm libxfixes-5.0.1-1.mga3.src.rpm libxcursor-1.1.14-1.mga3.src.rpm libxp-1.0.2-1.mga3.src.rpm libxt-1.1.4-1.mga3.src.rpm libxres-1.0.7-1.mga3.src.rpm libxxf86vm-1.1.3-1.mga3.src.rpm libxxf86dga-1.1.4-1.mga3.src.rpm libxcb-1.9.1-1.mga3.src.rpm libxinerama-1.1.3-1.mga3.src.rpm libxtst-1.2.2-1.mga3.src.rpm
Uploaded by Oden for Mageia 2: libfs6-1.0.4-1.1.mga2 libfs-devel-1.0.4-1.1.mga2 libfs-static-devel-1.0.4-1.1.mga2 from libfs-1.0.4-1.1.mga2.src.rpm
Just to see where we're at, here's the list of packages needed with the current SRPM if it has already been fixed for Mageia 3: libdmx - libdmx-1.1.3-1.mga3.src.rpm libfs - libfs-1.0.5-1.mga3.src.rpm libx11 - libx11-1.5.99.902-1.mga3.src.rpm libxcb - libxcb-1.9.1-1.mga3.src.rpm libxcursor - libxcursor-1.1.14-1.mga3.src.rpm libxext - libxfixes - libxfixes-5.0.1-1.mga3.src.rpm libxi - libxi-1.6.2.901-1.mga3.src.rpm libxinerama - libxinerama-1.1.3-1.mga3.src.rpm libxp - libxp-1.0.2-1.mga3.src.rpm libxrandr - libxrender - libxres - libxres-1.0.7-1.mga3.src.rpm libxt - libxt-1.1.4-1.mga3.src.rpm libxtst - libxtst-1.2.2-1.mga3.src.rpm libxv - libxvmc - libxxf86dga - libxxf86dga-1.1.4-1.mga3.src.rpm libxxf86vm - libxxf86vm-1.1.3-1.mga3.src.rpm mesa - mesa-9.1.3-1.mga3.src.rpm openchrome - x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm
A few more built by Thierry this morning: libxv1-1.0.8-1.mga3 libxv1-devel-1.0.8-1.mga3 libxv1-static-devel-1.0.8-1.mga3 libxrandr2-1.4.1-1.mga3 libxrandr2-devel-1.4.1-1.mga3 libxrandr2-static-devel-1.4.1-1.mga3 libxext6-1.3.2-1.mga3 libxext6-devel-1.3.2-1.mga3 libxext6-static-devel-1.3.2-1.mga3 from SRPMS: libxv-1.0.8-1.mga3.src.rpm libxrandr-1.4.1-1.mga3.src.rpm libxext-1.3.2-1.mga3.src.rpm Current status for Mageia 3: libdmx - libdmx-1.1.3-1.mga3.src.rpm libfs - libfs-1.0.5-1.mga3.src.rpm libx11 - libx11-1.5.99.902-1.mga3.src.rpm libxcb - libxcb-1.9.1-1.mga3.src.rpm libxcursor - libxcursor-1.1.14-1.mga3.src.rpm libxext - libxext-1.3.2-1.mga3.src.rpm libxfixes - libxfixes-5.0.1-1.mga3.src.rpm libxi - libxi-1.6.2.901-1.mga3.src.rpm libxinerama - libxinerama-1.1.3-1.mga3.src.rpm libxp - libxp-1.0.2-1.mga3.src.rpm libxrandr - libxrandr-1.4.1-1.mga3.src.rpm libxrender - libxres - libxres-1.0.7-1.mga3.src.rpm libxt - libxt-1.1.4-1.mga3.src.rpm libxtst - libxtst-1.2.2-1.mga3.src.rpm libxv - libxv-1.0.8-1.mga3.src.rpm libxvmc - libxxf86dga - libxxf86dga-1.1.4-1.mga3.src.rpm libxxf86vm - libxxf86vm-1.1.3-1.mga3.src.rpm mesa - mesa-9.1.3-1.mga3.src.rpm openchrome - x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm
The libx11 update for Mageia 3 has been updated again: libx11_6-1.6.0-1.mga3 libx11_6-devel-1.6.0-1.mga3 libx11_6-static-devel-1.6.0-1.mga3 libx11-common-1.6.0-1.mga3 libx11-doc-1.6.0-1.mga3 from libx11-1.6.0-1.mga3.src.rpm
RedHat has issued an advisory on June 3: https://rhn.redhat.com/errata/RHSA-2013-0897.html from http://lwn.net/Vulnerabilities/552862/ This update for Mesa fixes the CVE listed in the X.org advisory (CVE-2013-1993) as well as a new one, CVE-2013-1872. It's not clear which versions of Mesa are affected, so we may have to address that one as well.
Thierry has built the last two packages for the Mageia 3 update: libxrender1-0.9.8-1.mga3 libxrender1-devel-0.9.8-1.mga3 libxrender1-static-devel-0.9.8-1.mga3 libxvmc1-1.0.8-1.mga3 libxvmc1-devel-1.0.8-1.mga3 libxvmc1-static-devel-1.0.8-1.mga3 from SRPMS: libxrender-0.9.8-1.mga3.src.rpm libxvmc-1.0.8-1.mga3.src.rpm Full SRPM list for Mageia 3 update: libdmx - libdmx-1.1.3-1.mga3.src.rpm libfs - libfs-1.0.5-1.mga3.src.rpm libx11 - libx11-1.5.99.902-1.mga3.src.rpm libxcb - libxcb-1.9.1-1.mga3.src.rpm libxcursor - libxcursor-1.1.14-1.mga3.src.rpm libxext - libxext-1.3.2-1.mga3.src.rpm libxfixes - libxfixes-5.0.1-1.mga3.src.rpm libxi - libxi-1.6.2.901-1.mga3.src.rpm libxinerama - libxinerama-1.1.3-1.mga3.src.rpm libxp - libxp-1.0.2-1.mga3.src.rpm libxrandr - libxrandr-1.4.1-1.mga3.src.rpm libxrender - libxrender-0.9.8-1.mga3.src.rpm libxres - libxres-1.0.7-1.mga3.src.rpm libxt - libxt-1.1.4-1.mga3.src.rpm libxtst - libxtst-1.2.2-1.mga3.src.rpm libxv - libxv-1.0.8-1.mga3.src.rpm libxvmc - libxvmc-1.0.8-1.mga3.src.rpm libxxf86dga - libxxf86dga-1.1.4-1.mga3.src.rpm libxxf86vm - libxxf86vm-1.1.3-1.mga3.src.rpm mesa - mesa-9.1.3-1.mga3.src.rpm openchrome - x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm
(In reply to David Walser from comment #13) > RedHat has issued an advisory on June 3: > https://rhn.redhat.com/errata/RHSA-2013-0897.html > > from http://lwn.net/Vulnerabilities/552862/ > > This update for Mesa fixes the CVE listed in the X.org advisory > (CVE-2013-1993) as well as a new one, CVE-2013-1872. It's not clear which > versions of Mesa are affected, so we may have to address that one as well. Thierry, Oden, anyone, does the above additional Mesa issue affect us?
CVE-2013-1872, CVE-2013-1993 has been fixed in mesa-8.0.5-1.1.mga2 CVE-2013-1872 has been fixed in mesa-9.1.3-1.1.mga3
Thanks Oden. Now we have all we need for the Mageia 3 update but an advisory. I'll file a new bug so it can go to QA. Updated Mesa packages: mesa-9.1.3-1.1.mga3 libdricore1-9.1.3-1.1.mga3 libdricore1-devel-9.1.3-1.1.mga3 libmesagl1-9.1.3-1.1.mga3 libdri-drivers-9.1.3-1.1.mga3 libmesagl1-devel-9.1.3-1.1.mga3 libmesaegl1-9.1.3-1.1.mga3 libmesaegl1-devel-9.1.3-1.1.mga3 libosmesa8-9.1.3-1.1.mga3 libosmesa-devel-9.1.3-1.1.mga3 libglapi0-9.1.3-1.1.mga3 libglapi0-devel-9.1.3-1.1.mga3 libmesaglesv1_1-9.1.3-1.1.mga3 libmesaglesv1_1-devel-9.1.3-1.1.mga3 libmesaglesv2_2-9.1.3-1.1.mga3 libmesaglesv2_2-devel-9.1.3-1.1.mga3 libmesaopenvg1-9.1.3-1.1.mga3 libmesaopenvg1-devel-9.1.3-1.1.mga3 libllvmradeon9.1.3-9.1.3-1.1.mga3 libgbm1-9.1.3-1.1.mga3 libgbm1-devel-9.1.3-1.1.mga3 libwayland-egl1-9.1.3-1.1.mga3 libwayland-egl1-devel-9.1.3-1.1.mga3 libvdpau-driver-nouveau-9.1.3-1.1.mga3 libvdpau-driver-r300-9.1.3-1.1.mga3 libvdpau-driver-r600-9.1.3-1.1.mga3 libvdpau-driver-radeonsi-9.1.3-1.1.mga3 libvdpau-driver-softpipe-9.1.3-1.1.mga3 mesa-common-devel-9.1.3-1.1.mga3 from mesa-9.1.3-1.1.mga3.src.rpm Full SRPM list for Mageia 3 update: libdmx - libdmx-1.1.3-1.mga3.src.rpm libfs - libfs-1.0.5-1.mga3.src.rpm libx11 - libx11-1.5.99.902-1.mga3.src.rpm libxcb - libxcb-1.9.1-1.mga3.src.rpm libxcursor - libxcursor-1.1.14-1.mga3.src.rpm libxext - libxext-1.3.2-1.mga3.src.rpm libxfixes - libxfixes-5.0.1-1.mga3.src.rpm libxi - libxi-1.6.2.901-1.mga3.src.rpm libxinerama - libxinerama-1.1.3-1.mga3.src.rpm libxp - libxp-1.0.2-1.mga3.src.rpm libxrandr - libxrandr-1.4.1-1.mga3.src.rpm libxrender - libxrender-0.9.8-1.mga3.src.rpm libxres - libxres-1.0.7-1.mga3.src.rpm libxt - libxt-1.1.4-1.mga3.src.rpm libxtst - libxtst-1.2.2-1.mga3.src.rpm libxv - libxv-1.0.8-1.mga3.src.rpm libxvmc - libxvmc-1.0.8-1.mga3.src.rpm libxxf86dga - libxxf86dga-1.1.4-1.mga3.src.rpm libxxf86vm - libxxf86vm-1.1.3-1.mga3.src.rpm mesa - mesa-9.1.3-1.1.mga3.src.rpm openchrome - x11-driver-video-openchrome-0.3.3-1.mga3.src.rpm
The Mageia 2 update isn't close to being ready, but here's the current status. Oden just posted an updated Mesa: mesa-8.0.5-1.1.mga2 libmesagl1-8.0.5-1.1.mga2 libdri-drivers-8.0.5-1.1.mga2 libmesagl1-devel-8.0.5-1.1.mga2 libmesaglu1-8.0.5-1.1.mga2 libmesaglu1-devel-8.0.5-1.1.mga2 libmesaegl1-8.0.5-1.1.mga2 libmesaegl1-devel-8.0.5-1.1.mga2 libglapi0-8.0.5-1.1.mga2 libglapi0-devel-8.0.5-1.1.mga2 libmesaglesv1_1-8.0.5-1.1.mga2 libmesaglesv1_1-devel-8.0.5-1.1.mga2 libmesaglesv2_2-8.0.5-1.1.mga2 libmesaglesv2_2-devel-8.0.5-1.1.mga2 libmesaopenvg1-8.0.5-1.1.mga2 libmesaopenvg1-devel-8.0.5-1.1.mga2 libgbm1-8.0.5-1.1.mga2 libgbm1-devel-8.0.5-1.1.mga2 libwayland-egl1-8.0.5-1.1.mga2 libwayland-egl1-devel-8.0.5-1.1.mga2 mesa-common-devel-8.0.5-1.1.mga2 from mesa-8.0.5-1.1.mga2.src.rpm Full SRPM list for Mageia 2 update: libdmx - libfs - libfs-1.0.4-1.1.mga2.src.rpm libx11 - libxcb - libxcursor - libxext - libxfixes - libxi - libxinerama - libxp - libxrandr - libxrender - libxres - libxt - libxtst - libxv - libxvmc - libxxf86dga - libxxf86vm - mesa - mesa-8.0.5-1.1.mga2.src.rpm openchrome -
Depends on: (none) => 10565
Depends on: (none) => 10569
Bug 10565 has been filed for the Mageia 3 update. Bug 10569 has been filed for the Mesa update only on Mageia 2. List of remaining SRPMS for the Mageia 2 update: libdmx - libfs - libfs-1.0.4-1.1.mga2.src.rpm libx11 - libxcb - libxcursor - libxext - libxfixes - libxi - libxinerama - libxp - libxrandr - libxrender - libxres - libxt - libxtst - libxv - libxvmc - libxxf86dga - libxxf86vm - openchrome -
Mageia 3 was fixed in Bug 10565 and Bug 10569. Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Status: NEW => RESOLVEDVersion: 3 => 2Resolution: (none) => OLDWhiteboard: MGA2TOO => (none)