Upstream has issued an advisory on February 28: http://openwall.com/lists/oss-security/2017/02/28/3 https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ More info available here: http://openwall.com/lists/oss-security/2017/03/01/1 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
I added BR on libbsd-devel for cauldron: http://svnweb.mageia.org/packages?view=revision&revision=1088369
thierry, this is a fix for this CVE ?
CC: (none) => mageia
CVE: (none) => CVE-2017-2625
confirmed with debian, this fixes the CVE
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
pushed in updates_testing for mageia 5 src.rpm: libxdmcp-1.1.1-7.1.mga5
Assignee: thierry.vignaud => qa-bugs
Advisory: ======================== Updated libxdmcp packages fix security vulnerability: XDM uses weak entropy to generate the session keys on non BSD systems. On multi user systems it might possible to check the PID of the process and how long it is running to get an estimate of these values, which could allow an attacker to attach to the session of a different user (CVE-2017-2625). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2625 https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ ======================== Updated packages in core/updates_testing: ======================== libxdmcp6-1.1.1-7.1.mga5 libxdmcp-devel-1.1.1-7.1.mga from libxdmcp-1.1.1-7.1.mga5.src.rpm
MGA5-32 on Asus A6000VM Xfce No installation issues Under # urpmq --whatrequires libxdmcp6 I found gdm, kdm and xdm, so I rebooted and all went normal. Most of the other dependencies are servers, and I have no idea how to trace those. Someone else to jugde if this is suffucient to OK.
CC: (none) => herman.viaene
Installed and tested without issues. Have this package installed for several days and javen't noticed any regressions. Tests included: - running KDM, xdm and Xorg as usual; - running multiple user sessions at the same time; - using xauth to copy a session MIT-MAGIC-COOKIE-1 to a remove machine and running some remote X11 applications; - X11 tunnelling through ssh. Didn't actually test a remote X11 session using XDMCP but the changes were related to MIT-MAGIC-COOKIE-1 so the tests should cover the changed code. System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver nvidia340. $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ LANGUAGE=C rpm -q $( urpmq --whatrequires lib64xdmcp6 | sort -u) | grep -v "not installed" kdm-4.11.22-1.mga5 lib64xcb1-1.11.1-1.mga5 lib64xdmcp6-1.1.1-7.1.mga5 lib64xdmcp-devel-1.1.1-7.1.mga5 x11-server-xorg-1.16.4-2.2.mga5 xdm-1.1.11-14.mga5
CC: (none) => mageiaWhiteboard: (none) => MGA5-64-OK
Whiteboard: MGA5-64-OK => MGA5-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Moving 'advisory' from whiteboard to keywords now that madb has been updated to handle that keyword.
Keywords: (none) => advisoryWhiteboard: MGA5-64-OK advisory => MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0330.html
Status: NEW => RESOLVEDResolution: (none) => FIXED