OpenSuSE has issued an advisory today (July 5): http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html They fixed a denial of service issue, that also appears to have been fixed upstream around 1.14.0, and it is fixed in the version we have in Cauldron. The issue, which is fixed with a one-liner patch, is described here: https://bugzilla.novell.com/show_bug.cgi?id=815583 No CVEs are mentioned and I don't know if one was ever requested. I wonder if Oden has access to the reproducer mentioned in the bug above. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated x11-server packages fix security vulnerability: In the X.org x11-server, if a client sends a request larger than maxBigRequestSize, the server is supposed to ignore it. In some versions, it instead attempts to gracefully ignore the request by remembering how long the client specified the request to be, and ignoring that many bytes. However, if a client sends a BigReq header with a large size and disconnects before actually sending the rest of the specified request, the server will reuse the ConnectionInput buffer without resetting the ignoreBytes field. This makes the server ignore new X clients' requests, resulting in a denial of service. References: http://lists.opensuse.org/opensuse-updates/2013-07/msg00023.html ======================== Updated packages in core/updates_testing: ======================== x11-server-1.11.4-2.3.mga2 x11-server-devel-1.11.4-2.3.mga2 x11-server-common-1.11.4-2.3.mga2 x11-server-xorg-1.11.4-2.3.mga2 x11-server-xdmx-1.11.4-2.3.mga2 x11-server-xnest-1.11.4-2.3.mga2 x11-server-xvfb-1.11.4-2.3.mga2 x11-server-xephyr-1.11.4-2.3.mga2 x11-server-xfake-1.11.4-2.3.mga2 x11-server-xfbdev-1.11.4-2.3.mga2 x11-server-source-1.11.4-2.3.mga2 x11-server-1.13.4-2.1.mga3 x11-server-devel-1.13.4-2.1.mga3 x11-server-common-1.13.4-2.1.mga3 x11-server-xorg-1.13.4-2.1.mga3 x11-server-xdmx-1.13.4-2.1.mga3 x11-server-xnest-1.13.4-2.1.mga3 x11-server-xvfb-1.13.4-2.1.mga3 x11-server-xephyr-1.13.4-2.1.mga3 x11-server-xfake-1.13.4-2.1.mga3 x11-server-xfbdev-1.13.4-2.1.mga3 x11-server-source-1.13.4-2.1.mga3 from SRPMS: x11-server-1.11.4-2.3.mga2.src.rpm x11-server-1.13.4-2.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Inquiry about it getting a CVE. We'll see. http://openwall.com/lists/oss-security/2013/07/05/12
Sounds like the consensus is it's not an actual vulnerability: http://openwall.com/lists/oss-security/2013/07/06/2
Does anyone have any strong feelings about this one? We can still issue it as a bugfix update, or just leave the fix in SVN for if we issue another update to this package later.
I'd vote for leave on svn. It's a patch worth having but is it worth an update on it's own? Up to you really David. By it's nature we're unlikely to find a PoC.
It doesn't sound like it's worth its own update. Closing as WONTFIX.
Status: NEW => RESOLVEDResolution: (none) => WONTFIX
These will need to be removed from Testing medias. SRPMS: x11-server-1.11.4-2.3.mga2.src.rpm x11-server-1.13.4-2.1.mga3.src.rpm Could sysadmin please remove from 2 & 3 core/updates_testing.
Status: RESOLVED => REOPENEDCC: (none) => sysadmin-bugsResolution: WONTFIX => (none)
Whiteboard: (none) => feedback
Deleted: x11-server-1.11.4-2.3.mga2.src.rpm x11-server-1.13.4-2.1.mga3.src.rpm and their matching rpms
Status: REOPENED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Well, technically not FIXED, just not issuing updates for now, so WONTFIX. Thanks. Note that xdm also needs deleted (from Bug 10682).
Resolution: FIXED => WONTFIX