Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2023/10/25/1 Mageia 8 and 9 are also affected.
The issues are fixed in x11-server 21.1.9 and x11-server-xwayland 23.2.2.
Source RPM: (none) => x11-server, x11-server-xwaylandWhiteboard: (none) => MGA9TOO, MGA8TOOCC: (none) => nicolas.salguero
Assigning to the registered x11-server and x11-server-xwayland maintainer
CC: (none) => marja11Assignee: bugsquad => thierry.vignaud
Suggested advisory: ======================== The updated packages fix security vulnerabilities: OOB write in XIChangeDeviceProperty/RRChangeOutputProperty. (CVE-2023-5367) Use-after-free bug in DestroyWindow. (CVE-2023-5380) Use-after-free bug in DamageDestroy. (CVE-2023-5574) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5367 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5380 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5574 https://www.openwall.com/lists/oss-security/2023/10/25/1 ======================== Updated packages in 9/core/updates_testing: ======================== x11-server-21.1.8-7.1.mga9 x11-server-common-21.1.8-7.1.mga9 x11-server-devel-21.1.8-7.1.mga9 x11-server-source-21.1.8-7.1.mga9 x11-server-xephyr-21.1.8-7.1.mga9 x11-server-xnest-21.1.8-7.1.mga9 x11-server-xorg-21.1.8-7.1.mga9 x11-server-xvfb-21.1.8-7.1.mga9 x11-server-xwayland-22.1.9-1.1.mga9 x11-server-xwayland-devel-22.1.9-1.1.mga9 from SRPMS: x11-server-21.1.8-7.1.mga9.src.rpm x11-server-xwayland-22.1.9-1.1.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== x11-server-1.20.14-4.4.mga8 x11-server-common-1.20.14-4.4.mga8 x11-server-devel-1.20.14-4.4.mga8 x11-server-source-1.20.14-4.4.mga8 x11-server-xdmx-1.20.14-4.4.mga8 x11-server-xephyr-1.20.14-4.4.mga8 x11-server-xnest-1.20.14-4.4.mga8 x11-server-xorg-1.20.14-4.4.mga8 x11-server-xvfb-1.20.14-4.4.mga8 x11-server-xwayland-1.20.14-4.4.mga8 from SRPM: x11-server-1.20.14-4.4.mga8.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA9TOO, MGA8TOO => MGA8TOOVersion: Cauldron => 9Assignee: thierry.vignaud => qa-bugs
Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Installed and tested without issues. Tested a bunch of applications, OpenGL 3D (glxinfo, glmark2), video. System: Mageia 8, x86_64 Plasma DE, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz, Intel integrated GPU. $ uname -a Linux marte 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep x11-server | sort -u x11-server-common-1.20.14-4.4.mga8 x11-server-xorg-1.20.14-4.4.mga8 x11-server-xwayland-1.20.14-4.4.mga8 $ lscpu | grep "Model name" Model name: Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz $ lspci | grep VGA 00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor Integrated Graphics Controller (rev 06)
CC: (none) => mageia
Installed and tested without issues. Tested desktop applications, OpenGL 3D (glxinfo, glmark2), video. System: Mageia 8, x86_64 Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep x11-server | sort -u x11-server-common-1.20.14-4.4.mga8 x11-server-xorg-1.20.14-4.4.mga8 x11-server-xwayland-1.20.14-4.4.mga8 $ LANGUAGE=C lscpu | grep "Model name" Model name: AMD Ryzen 5 5600G with Radeon Graphics $ lspci | grep VGA 03:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Navi 24 [Radeon RX 6400 / 6500 XT] (rev c1) 0c:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Cezanne (rev c9)
Installed and tested without issues. Tested desktop applications, OpenGL 3D (glxinfo, glmark2), video. Host system: See comment 6. Guest System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics, virtio display driver. $ uname -a Linux jupiter-vm-mageia-9-jogos 6.4.16-desktop-3.mga9 #1 SMP PREEMPT_DYNAMIC Tue Oct 10 16:51:28 UTC 2023 x86_64 GNU/Linux $ rpm -qa | grep x11-server | sort -u x11-server-common-21.1.8-7.1.mga9 x11-server-xorg-21.1.8-7.1.mga9 x11-server-xwayland-22.1.9-1.1.mga9 $ LANGUAGE=C lscpu | grep "Model name" Model name: AMD Ryzen 5 5600G with Radeon Graphics $ lspci | grep VGA 00:01.0 VGA compatible controller: Red Hat, Inc. Virtio 1.0 GPU (rev 01)
Installed and tested without issues. Tested desktop applications, OpenGL and Vulkan, Steam, Steam games, video. Host system: See comment 6. Guest System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics, Radeon RX 6500 XT using amggpu display driver using PCI pass throught. $ uname -a Linux jupiter-vm-mageia-9-jogos 6.4.16-desktop-3.mga9 #1 SMP PREEMPT_DYNAMIC Tue Oct 10 16:51:28 UTC 2023 x86_64 GNU/Linux $ rpm -qa | grep x11-server | sort -u x11-server-common-21.1.8-7.1.mga9 x11-server-xorg-21.1.8-7.1.mga9 x11-server-xwayland-22.1.9-1.1.mga9 $ LANGUAGE=C lscpu | grep "Model name" Model name: AMD Ryzen 5 5600G with Radeon Graphics $ lspci | grep VGA 0c:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Navi 24 [Radeon RX 6400/6500 XT/6500M] (rev c1)
On Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics, Mageia 8 and Mageia 9 Xfce systems, installed and tested without issues. Tested some applications, no issues to report. Updated the Mageia 9 system to kernel-desktop 6.4.16-5, and still no issues. OKing this for both releases and arches, and validating.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK MGA9-64-OK MGA8-32-OK MGA9-32-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
mga9-64 OK here HW: Intel i7-870, P55 chipset, nvidia470-470.199.02-3 on GTX750 SW: Plasma X11, Normal desktop apps, VirtualBox MSW7 guest suspend-resume
CC: (none) => fri
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0307.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED