Upstream has issued an advisory today (December 9): http://openwall.com/lists/oss-security/2014/12/09/18 http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/ A link to patches is provided on the upstream advisory now, and it says it will post links to git commits later. The issue will also be fixed in 1.16.3. Mageia 4 is also affected by all of these issues except for CVE-2014-8103. Mageia does have the -nolisten tcp mitigation in place by default. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
git commit links have been posted to the upstream advisory: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/ A 1.16.3 RC (1.16.2.901) is available with the fixes, according to: http://openwall.com/lists/oss-security/2014/12/09/29
Ubuntu has issued advisories for this on December 9: http://www.ubuntu.com/usn/usn-2436-1/ http://www.ubuntu.com/usn/usn-2436-2/
URL: (none) => http://lwn.net/Vulnerabilities/625511/
RedHat has issued an advisory for this on December 11: https://rhn.redhat.com/errata/RHSA-2014-1983.html
Thierry has requested a freeze push for Cauldron. Patched package uploaded for Mageia 4. Advisory: ======================== Updated x11-server packages fix security vulnerabilities: Ilja van Sprundel of IOActive discovered several security issues in the X.org X server, which may lead to privilege escalation or denial of service (CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102 http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/ https://www.debian.org/security/2014/dsa-3095 ======================== Updated packages in core/updates_testing: ======================== x11-server-1.14.5-2.1.mga4 x11-server-devel-1.14.5-2.1.mga4 x11-server-common-1.14.5-2.1.mga4 x11-server-xorg-1.14.5-2.1.mga4 x11-server-xdmx-1.14.5-2.1.mga4 x11-server-xnest-1.14.5-2.1.mga4 x11-server-xvfb-1.14.5-2.1.mga4 x11-server-xephyr-1.14.5-2.1.mga4 x11-server-xfake-1.14.5-2.1.mga4 x11-server-xfbdev-1.14.5-2.1.mga4 x11-server-source-1.14.5-2.1.mga4 from x11-server-1.14.5-2.1.mga4.src.rpm
CC: (none) => thierry.vignaudVersion: Cauldron => 4Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA4TOO => (none)Severity: normal => critical
Testing on Mageia4x64, nvidia750 gtx, kde desktop. From x11-server-xorg-1.14.5-2.mga4 x11-server-common-1.14.5-2.mga4 To x11-server-xorg-1.14.5-2.1.mga4 x11-server-common-1.14.5-2.1.mga4 $ xdpyinfo name of display: :0 version number: 11.0 vendor string: The X.Org Foundation vendor release number: 11405000 X.Org version: 1.14.5 Ran 3 text with X11perf which gave equivalent results
CC: (none) => olchal
MGA4-64 on HP Probook 6555b with AMD Mobility Radeon HD 4225/4250 Rebooted after installation. No remarks, all seems to work OK, same info on xdpyinfo as above.
CC: (none) => herman.viaene
In VirtualBox, M4, KDE, 32-bit Package(s) under test: x11-server-common x11-server-xorg default install of x11-server-common & x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.14.5-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.14.5-2.mga4.i586 is already installed KDE desktop and various apps work fine install x11-server-common & x11-server-xorg from updates_testing [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.14.5-2.1.mga4.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.14.5-2.1.mga4.i586 is already installed KDE desktop and various apps work fine Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: x11-server-common x11-server-xorg default install of x11-server-common & x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.14.5-2.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.14.5-2.mga4.x86_64 is already installed KDE desktop and various apps work fine install x11-server-common & x11-server-xorg from updates_testing [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.14.5-2.1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.14.5-2.1.mga4.x86_64 is already installed KDE desktop and various apps work fine Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Adding the OKs from William and Olivier's testing. This can be validated.
Whiteboard: (none) => MGA4-32-OK MGA4-64-OK
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0532.html
Status: NEW => RESOLVEDResolution: (none) => FIXED