The upstream 1.19.4 update we pushed as: http://advisories.mageia.org/MGASA-2017-0366.html introduced a regression in PRIME syncronization. Su upstream released a 1.19.5 that fixes that and a lot of security fixes: CVE-2017-12176 to CVE-2017-12187 I also added a fix for "XShmGetImage: fix censoring" that is described as: <quote> Visually this fixes chromium/firefox window sharing in multiscreen configurations - without this patch most of the windows on 'secodnary' screens are black. This also should fix https://bugs.freedesktop.org/show_bug.cgi?id=101730. </quote> Packages to test: SRPMS: x11-server-1.19.5-1.1.mga6.src.rpm i586: x11-server-1.19.5-1.1.mga6.i586.rpm x11-server-common-1.19.5-1.1.mga6.i586.rpm x11-server-devel-1.19.5-1.1.mga6.i586.rpm x11-server-source-1.19.5-1.1.mga6.noarch.rpm x11-server-xdmx-1.19.5-1.1.mga6.i586.rpm x11-server-xephyr-1.19.5-1.1.mga6.i586.rpm x11-server-xfake-1.19.5-1.1.mga6.i586.rpm x11-server-xfbdev-1.19.5-1.1.mga6.i586.rpm x11-server-xnest-1.19.5-1.1.mga6.i586.rpm x11-server-xorg-1.19.5-1.1.mga6.i586.rpm x11-server-xvfb-1.19.5-1.1.mga6.i586.rpm x11-server-xwayland-1.19.5-1.1.mga6.i586.rpm x86_64: x11-server-1.19.5-1.1.mga6.x86_64.rpm x11-server-common-1.19.5-1.1.mga6.x86_64.rpm x11-server-devel-1.19.5-1.1.mga6.x86_64.rpm x11-server-source-1.19.5-1.1.mga6.noarch.rpm x11-server-xdmx-1.19.5-1.1.mga6.x86_64.rpm x11-server-xephyr-1.19.5-1.1.mga6.x86_64.rpm x11-server-xfake-1.19.5-1.1.mga6.x86_64.rpm x11-server-xfbdev-1.19.5-1.1.mga6.x86_64.rpm x11-server-xnest-1.19.5-1.1.mga6.x86_64.rpm x11-server-xorg-1.19.5-1.1.mga6.x86_64.rpm x11-server-xvfb-1.19.5-1.1.mga6.x86_64.rpm x11-server-xwayland-1.19.5-1.1.mga6.x86_64.rpm Cauldron is fixed, Mageia 5 is also affected by many of the CVEs but they dont apply cleanly so I'll put that in a separate report when its ready...
Hi. System: MGA6 x86_64 Using this update with Openbox without any issues after a complete reboot of my system. $ rpm -qa | grep x11-server x11-server-xnest-1.19.5-1.1.mga6 x11-server-common-1.19.5-1.1.mga6 x11-server-xwayland-1.19.5-1.1.mga6 x11-server-xorg-1.19.5-1.1.mga6 Only have systems with 1 monitor, so haven't seen the issue mentioned. Cheers, Stig
CC: (none) => smelror
Fedora has issued an advisory for this today (October 17): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7PTJE7ZFQ6WA3TNLKJYRT5SI74CWC3ID/
Debian has issued an advisory for this on October 17: https://www.debian.org/security/2017/dsa-4000 It mentions two CVEs, CVE-2017-13721 and CVE-2017-13723, that Thomas didn't mention before. Do we have fixes for those?
MGA6-32 on Asus A6000VM MATE No installation issues. Before the update I tried to replicate the issue with Firefox as mentioned above, using my beamer as secondary screen. The problem did not show up, but MATE played havoc with the screen settings. I needed several Crtl-Alt-Backspace operations to get back to a normal situation. After the update I checked normal operation of panel, menus and schortcuts and opened documents, pictures, music and videos all OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
(In reply to David Walser from comment #3) > Debian has issued an advisory for this on October 17: > https://www.debian.org/security/2017/dsa-4000 > It mentions two CVEs, CVE-2017-13721 and CVE-2017-13723, that Thomas didn't > mention before. Do we have fixes for those? This is important to know. Or can we expect an updated update? Should these CVEs be in the advisory? ---------------------------------- Using M6/64 XFCE x11-server-xorg-1.19.5-1.1.mga6 x11-server-xwayland-1.19.5-1.1.mga6 x11-server-common-1.19.5-1.1.mga6 without problems; but holding the OK for a bit. ----------------------------------------------- Have uploaded an advisory from comments 0, 2, 3. But *without* the 2 CVEs mentioned in comment 3 since I do not know whether they are covered by this update as it stands. If they are, please add them to the advisory.
Keywords: (none) => advisory
(In reply to David Walser from comment #3) > Debian has issued an advisory for this on October 17: > https://www.debian.org/security/2017/dsa-4000 > > It mentions two CVEs, CVE-2017-13721 and CVE-2017-13723, that Thomas didn't > mention before. Do we have fixes for those? We did them as part of 1.19.4 update: https://advisories.mageia.org/MGASA-2017-0366.html
Mageia release 6 (Official) for x86_64 4.9.56-desktop-1.mga6 Desktop: Gnome 3.24.2 Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz NVIDIA Corporation GK104 [GeForce GTX 770] RAM 15.35 GB -------------------------------------- 2560x1440 pixels (677x381 millimeters) -------------------------------------- Display Server: Mageia X.org 119.4 drivers: nvidia,v4l GLX Version: 4.5.0 NVIDIA 384.59 Installed all the components (some were already installed). Ran the updates. Logged out of GNOME. Logged into GNOME on Xorg and the desktop came up OK. Ran vlc to play a video. Viewed images. Logged in to another workstation on the LAN and played videos, viewed images and used firefox. The latter two responded to keyboard events fairly promptly as well as mouse clicks. That all looks fine.
CC: (none) => tarazed25
The starting point for the installation in the test reported in comment 7 was from a standpoint of the default login for GNOME. Testing was done by logging in to GNOME on Xorg. We should test the Wayland server also but is the default login for GNOME Wayland. If so it can be tested. Is it safe to assume that GNOME Classic runs under Wayland?
This bug has nothing to do with Wayland.
On mga6-64 plasma Packages installed cleanly: - x11-server-common-1.19.5-1.1.mga6.x86_64 - x11-server-xorg-1.19.5-1.1.mga6.x86_64 - x11-server-xwayland-1.19.5-1.1.mga6.x86_64 Played videos in VLC and flash-player, streaming on flash-player, YouTube videos. Used LO .ods and odt files No regressions noted $ inxi -G Graphics: Card: Intel HD Graphics 530 Display Server: Mageia X.org 119.5 drivers: v4l,intel Resolution: 1920x1080@60.00hz GLX Renderer: Mesa DRI Intel HD Graphics 530 (Skylake GT2) GLX Version: 3.0 Mesa 17.1.5 Looks OK for mga6-64
CC: (none) => jim
Re comment 9. So where does x11-xserver-xwayland come into this? Do we just ignore it?
On mga6-32 in a vbox VM packages installed cleanly; x11-server-xwayland-1.19.5-1.1.mga6.i586 x11-server-xorg-1.19.5-1.1.mga6.i586 x11-server-common-1.19.5-1.1.mga6.i586 played videos; used LO no regressions noted $ inxi -G Graphics: Card: InnoTek Systemberatung VirtualBox Graphics Adapter Display Server: Mageia X.org 119.5 drivers: modesetting,v4l GLX Renderer: Gallium 0.4 on llvmpipe (LLVM 3.9, 256 bits) looks OK for mga6-32 in a vbox VM
Yes you can ignore xwayland, that's not what the CVEs are about. Also, we're primarily just concerned with the functionality of the X server.
The testing looks decent: thanks James for your confirmations. Adding 2nd OK & validating.
CC: (none) => sysadmin-bugsWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0401.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED