lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 29 Mar 2015 11:46:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2015:119 ] x11-server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:119
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : x11-server
 Date    : March 29, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated x11-server packages fix security vulnerabilities:
 
 Ilja van Sprundel of IOActive discovered several security issues in the
 X.org X server, which may lead to privilege escalation or denial of
 service (CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094,
 CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098,
 CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102).
 
 Olivier Fourdan from Red Hat has discovered a protocol handling
 issue in the way the X server code base handles the XkbSetGeometry
 request, where the server trusts the client to send valid string
 lengths. A malicious client with string lengths exceeding the
 request length can cause the server to copy adjacent memory data
 into the XKB structs. This data is then available to the client via
 the XkbGetGeometry request. This can lead to information disclosure
 issues, as well as possibly a denial of service if a similar request
 can cause the server to crash (CVE-2015-0255).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255
 http://advisories.mageia.org/MGASA-2014-0532.html
 http://advisories.mageia.org/MGASA-2015-0073.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 2/X86_64:
 d9de24245bf452fa208ce722ce58c0c4  mbs2/x86_64/x11-server-1.14.5-3.1.mbs2.x86_64.rpm
 ef5ee1a16e59ffae7778412941fb93e4  mbs2/x86_64/x11-server-common-1.14.5-3.1.mbs2.x86_64.rpm
 a27cff3cf97c4361132359441b13fd58  mbs2/x86_64/x11-server-devel-1.14.5-3.1.mbs2.x86_64.rpm
 407b8d00033478227c18f2b6f9c7b387  mbs2/x86_64/x11-server-source-1.14.5-3.1.mbs2.noarch.rpm
 6672056e57197215ab30be5763ce9422  mbs2/x86_64/x11-server-xdmx-1.14.5-3.1.mbs2.x86_64.rpm
 864929bb7acad38a28cb8f126b440600  mbs2/x86_64/x11-server-xephyr-1.14.5-3.1.mbs2.x86_64.rpm
 a29866186220c8f71eb18486a132ae57  mbs2/x86_64/x11-server-xfake-1.14.5-3.1.mbs2.x86_64.rpm
 866e5323ec9efd6857e8ec83d3109ac2  mbs2/x86_64/x11-server-xfbdev-1.14.5-3.1.mbs2.x86_64.rpm
 65906a705206237aab0303b5dd9358d8  mbs2/x86_64/x11-server-xnest-1.14.5-3.1.mbs2.x86_64.rpm
 3840ccdf06db9d53914af96cee6e487d  mbs2/x86_64/x11-server-xorg-1.14.5-3.1.mbs2.x86_64.rpm
 8d9de7a9081ec613edac5e27b339af24  mbs2/x86_64/x11-server-xvfb-1.14.5-3.1.mbs2.x86_64.rpm 
 5bb951907ff0d8ae6087f812d8cf069b  mbs2/SRPMS/x11-server-1.14.5-3.1.mbs2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7vNmqjQ0CJFipgRApeZAJoDcvfgKg1km5JKQz+iWRo/aZbCPgCg5PEC
rUnw2V62YoeD+/u29uMFLxs=
=0EhW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ