Upstream has announced two security issues fixed upstream: http://openwall.com/lists/oss-security/2017/10/04/10 The issues are fixed in 1.19.4. I don't know if Mageia 5 is affected. The update has already been built by Thomas. x11-server-1.19.4-1.mga6 x11-server-common-1.19.4-1.mga6 x11-server-xorg-1.19.4-1.mga6 x11-server-xnest-1.19.4-1.mga6 x11-server-xdmx-1.19.4-1.mga6 x11-server-xvfb-1.19.4-1.mga6 x11-server-xephyr-1.19.4-1.mga6 x11-server-xfake-1.19.4-1.mga6 x11-server-xfbdev-1.19.4-1.mga6 x11-server-xwayland-1.19.4-1.mga6 x11-server-devel-1.19.4-1.mga6 x11-server-source-1.19.4-1.mga6 from x11-server-1.19.4-1.mga6.src.rpm
(In reply to David Walser from comment #0) > Upstream has announced two security issues fixed upstream: > http://openwall.com/lists/oss-security/2017/10/04/10 > > The issues are fixed in 1.19.4. > > I don't know if Mageia 5 is affected. > It is, I've just pushed a x11-server-1.16.4-2.3.mga5 to the buildsystem
Advisory: ======================== Updated x11-server packages fix security vulnerabilities: In Xext/shm, the shmseg resource id can belong to a non-existing client and abort X server with FatalError "client not in use", or overwrite existing segment of another existing client (CVE-2017-13721). Generating strings for XKB data used a single shared static buffer, which offered several opportunities for errors when strings end up longer than anticipated (CVE-2017-13723). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13723 http://openwall.com/lists/oss-security/2017/10/04/10 ======================== Updated packages in core/updates_testing: ======================== x11-server-1.16.4-2.3.mga5 x11-server-devel-1.16.4-2.3.mga5 x11-server-common-1.16.4-2.3.mga5 x11-server-xorg-1.16.4-2.3.mga5 x11-server-xdmx-1.16.4-2.3.mga5 x11-server-xwayland-1.16.4-2.3.mga5 x11-server-xnest-1.16.4-2.3.mga5 x11-server-xvfb-1.16.4-2.3.mga5 x11-server-xephyr-1.16.4-2.3.mga5 x11-server-xfake-1.16.4-2.3.mga5 x11-server-xfbdev-1.16.4-2.3.mga5 x11-server-source-1.16.4-2.3.mga5 x11-server-1.19.4-1.mga6 x11-server-common-1.19.4-1.mga6 x11-server-xorg-1.19.4-1.mga6 x11-server-xnest-1.19.4-1.mga6 x11-server-xdmx-1.19.4-1.mga6 x11-server-xvfb-1.19.4-1.mga6 x11-server-xephyr-1.19.4-1.mga6 x11-server-xfake-1.19.4-1.mga6 x11-server-xfbdev-1.19.4-1.mga6 x11-server-xwayland-1.19.4-1.mga6 x11-server-devel-1.19.4-1.mga6 x11-server-source-1.19.4-1.mga6 from SRPMS: x11-server-1.16.4-2.3.mga5.src.rpm x11-server-1.19.4-1.mga6.src.rpm
Whiteboard: (none) => MGA5TOOCC: (none) => tmbAssignee: tmb => qa-bugs
Tested on mga6 for x86_64 Installed all the extra packages before updating. Logged out and in. Ran the updates. Logged out and in. $ rpm -qa | grep x11-server x11-server-devel-1.19.4-1.mga6 x11-server-xorg-1.19.4-1.mga6 x11-server-source-1.19.4-1.mga6 x11-server-1.19.4-1.mga6 x11-server-xfbdev-1.19.4-1.mga6 x11-server-xvfb-1.19.4-1.mga6 x11-server-xfake-1.19.4-1.mga6 x11-server-xnest-1.19.4-1.mga6 x11-server-xwayland-1.19.4-1.mga6 x11-server-common-1.19.4-1.mga6 x11-server-xephyr-1.19.4-1.mga6 x11-server-xdmx-1.19.4-1.mga6 Various applications all working OK. ssh login to another machine on the LAN. Tried out graphics applications. Played HD and DVD videos across the network with vlc. They stuttered a bit but ran OK. There was a problem logging out. Had to use Ctrl-C to kill the connection. That problem did not reappear when the same test was performed later with mplayer. Remote ssh login again. Other graphics applications closed down cleanly. A network share application worked fine from the other machine and the local machine. exit worked fine that time. This update is fine for 64-bits.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Testing on mga5 for x86_64 nvidia driver 384.59 Installed missing packages before the update. Ran the updates. - x11-server-1.16.4-2.3.mga5.x86_64 - x11-server-common-1.16.4-2.3.mga5.x86_64 - x11-server-xdmx-1.16.4-2.3.mga5.x86_64 - x11-server-xephyr-1.16.4-2.3.mga5.x86_64 - x11-server-xfake-1.16.4-2.3.mga5.x86_64 - x11-server-xfbdev-1.16.4-2.3.mga5.x86_64 - x11-server-xnest-1.16.4-2.3.mga5.x86_64 - x11-server-xorg-1.16.4-2.3.mga5.x86_64 - x11-server-xvfb-1.16.4-2.3.mga5.x86_64 - x11-server-xwayland-1.16.4-2.3.mga5.x86_64 Logged out and in. Ran various desktop applications; firefox, gkrellm, mcc, vlc and mplayer to play videos, local ruby-tk scripts to display custom-made guis. Everything working fine. Network share guis working OK. Remote login to a workstation on the LAN. Repeated some of the tests. No problems.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: (none) => advisoryCC: (none) => lewyssmith
Installed and tested without issues. Have been using the update for several hours, multiple concurrent sessions, bunch of programs, including OpenGL without issues. System: Mageia 5, x86_64, Plasma DE, Intel CPU, nVidia GPU with proprietary driver nvidia340. $ uname -a Linux marte 4.4.89-desktop-1.mga5 #1 SMP Wed Sep 27 16:25:14 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep x11-server x11-server-xorg-1.16.4-2.3.mga5 x11-server-common-1.16.4-2.3.mga5
CC: (none) => mageia
In VirtualBox, M5.1, KDE, 32-bit Package(s) under test: x11-server-common x11-server-xorg [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.2.mga5.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.2.mga5.i586 is already installed Screen sizes are correct, display is normal, common apps work. install x11-server-common & x11-server-xorg from updates_testing [root@localhost wilcal]# urpmi x11-server-common Package x11-server-common-1.16.4-2.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi x11-server-xorg Package x11-server-xorg-1.16.4-2.3.mga5.i586 is already installed Screen sizes are correct, display is normal, common apps work.
CC: (none) => wilcal.int
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK
I agree with Lewis that this needs testing on a 32-bit architecture. All I have is vboxes but shall give it a run. The other concern is to run xwaland which means testing under GNOME. I might add that to the 64-bit tests later. Installed these on mga6::i586 in virtualbox: x11-server-xwayland-1.19.4-1.mga6 x11-server-xnest-1.19.4-1.mga6 x11-server-1.19.4-1.mga6 x11-server-xvfb-1.19.4-1.mga6 x11-server-devel-1.19.4-1.mga6 x11-server-xdmx-1.19.4-1.mga6 x11-server-xfake-1.19.4-1.mga6 x11-server-xorg-1.19.4-1.mga6 x11-server-source-1.19.4-1.mga6 x11-server-common-1.19.4-1.mga6 x11-server-xephyr-1.19.4-1.mga6 Logged out and in. MageiaWelcome came up. Invoked terminals and mcc. Firefox running OK. Watched an MKV clip from the host machine via a network share. Ran mplayer to watch the start of an mp4 film on the virtual disk. Set gkrellm running. Remote login on the LAN - ran gqview to view images. Watched a bit of Forbidden Planet using vlc. Keyboard events were transmitted across the network but took a bit of time to take effect - that was to stop the film. This looks OK but only the network probes are dealing with real hardware.
Whiteboard: MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-32-OK MGA5-64-OK MGA6-32-OK
This is good to go. Len you've got the honours.
Right-ho Bill - thanks. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0366.html
Status: NEW => RESOLVEDResolution: (none) => FIXED