Debian and Ubuntu have issued advisories on April 17: http://www.debian.org/security/2013/dsa-2661 http://www.ubuntu.com/usn/usn-1803-1/ Thomas Backlund fixed it in Cauldron yesterday with x11-server-1.13.4-1.mga3. Patched package uploaded for Mageia 2. Patched added in Mageia 1 SVN. Advisory: ======================== Updated x11-server packages fix security vulnerability: It was discovered that the X.Org X server did not properly clear input events in certain circumstances. A local attacker with physical access could use this flaw to capture keystrokes (CVE-2013-1940). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1940 http://www.ubuntu.com/usn/usn-1803-1/ ======================== Updated packages in core/updates_testing: ======================== x11-server-1.11.4-2.2.mga2 x11-server-devel-1.11.4-2.2.mga2 x11-server-common-1.11.4-2.2.mga2 x11-server-xorg-1.11.4-2.2.mga2 x11-server-xdmx-1.11.4-2.2.mga2 x11-server-xnest-1.11.4-2.2.mga2 x11-server-xvfb-1.11.4-2.2.mga2 x11-server-xephyr-1.11.4-2.2.mga2 x11-server-xfake-1.11.4-2.2.mga2 x11-server-xfbdev-1.11.4-2.2.mga2 x11-server-source-1.11.4-2.2.mga2 from x11-server-1.11.4-2.2.mga2.src.rpm Reproducible: Steps to Reproduce:
POC https://bugs.freedesktop.org/show_bug.cgi?id=63353
CC: (none) => davidwhodgins
Testing MGA2-32. Unable to reproduce bug under switch conditions with KDE. The PoC used gnome, which won't allow user switching without GDM as display manager. Tested general use, all OK. Tried switching again, still no pw in the text editor of first account.
CC: (none) => wrw105Whiteboard: (none) => MGA2-32-OK
Testing complete mga2 64 All tty's still ok, syslog still on tty12, KDM/KDE ok. Rebooted ok. Validating Advisory & srpm in comment 0 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2-32-OK => MGA2-32-OK mga2-64-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0140
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED