Bug 27206 - x11-server new security issue CVE-2020-1434[56] and CVE-2020-1436[12]
Summary: x11-server new security issue CVE-2020-1434[56] and CVE-2020-1436[12]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-08-26 23:04 CEST by David Walser
Modified: 2020-08-27 17:54 CEST (History)
1 user (show)

See Also:
Source RPM: x11-server-1.20.8-1.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-08-26 23:04:35 CEST
X.org has issued an advisory on August 25:
https://lists.x.org/archives/xorg-announce/2020-August/003058.html

The issues are fixed upstream in 1.20.9:
https://lists.x.org/archives/xorg-announce/2020-August/003059.html

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated x11-server packages fix security vulnerabilities:

The handler for the XkbSetNames request does not validate the request length
before accessing its contents (CVE-2020-14345).

An integer underflow exists in the handler for the XIChangeHierarchy request
(CVE-2020-14346).

An integer underflow exist in the handler for the XkbSelectEvents request
(CVE-2020-14361).

An integer underflow exist in the handler for the CreateRegister request of
the X record extension (CVE-2020-14362).

The x11-server package has been updated to version 1.20.9, fixing these issues
and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14345
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14362
https://lists.x.org/archives/xorg-announce/2020-August/003059.html
https://lists.x.org/archives/xorg-announce/2020-August/003058.html
========================

Updated packages in core/updates_testing:
========================
x11-server-1.20.9-1.mga7
x11-server-common-1.20.9-1.mga7
x11-server-xorg-1.20.9-1.mga7
x11-server-xnest-1.20.9-1.mga7
x11-server-xdmx-1.20.9-1.mga7
x11-server-xvfb-1.20.9-1.mga7
x11-server-xephyr-1.20.9-1.mga7
x11-server-xwayland-1.20.9-1.mga7
x11-server-devel-1.20.9-1.mga7
x11-server-source-1.20.9-1.mga7

from x11-server-1.20.9-1.mga7.src.rpm
Aurelien Oudelet 2020-08-27 08:26:31 CEST

QA Contact: (none) => security
Severity: normal => major

Aurelien Oudelet 2020-08-27 12:13:13 CEST

Component: RPM Packages => Security

Comment 1 Aurelien Oudelet 2020-08-27 12:16:17 CEST
Work well with x11-driver-nvidia-current nonfree
Plasma 5.15
x86_64.
Suspend/Resume is OK also.
Aurelien Oudelet 2020-08-27 14:36:34 CEST

Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2020-08-27 14:43:58 CEST

Keywords: (none) => advisory

Aurelien Oudelet 2020-08-27 16:27:16 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 2 Mageia Robot 2020-08-27 17:54:09 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0350.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.