From: | Robert Buchholz <rbu@g.o> |
---|---|
To: | gentoo-announce@l.g.o |
Cc: | bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com |
Subject: | [gentoo-announce] ERRATA: [ GLSA 200801-09 ] X.Org X server and Xfont library: Multiple vulnerabilities |
Date: | Wed, 05 Mar 2008 20:55:32 |
Message-Id: | 200803052148.03360.rbu@gentoo.org |
1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 | Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200801-09:03 |
3 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 | http://security.gentoo.org/ |
5 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 | |
7 | Severity: High |
8 | Title: X.Org X server and Xfont library: Multiple vulnerabilities |
9 | Date: January 20, 2008 |
10 | Updated: March 05, 2008 |
11 | Bugs: #204362, #208343 |
12 | ID: 200801-09:03 |
13 | |
14 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
15 | |
16 | Errata |
17 | ====== |
18 | |
19 | The previous version of the X.Org X server (1.3.0.0-r4) did not |
20 | properly address the integer overflow vulnerability in the MIT-SHM |
21 | extension (CVE-2007-6429). It failed to check on Pixmaps of certain |
22 | bit depths. |
23 | |
24 | All users of the X.Org X server package should upgrade to |
25 | x11-base/xorg-server-1.3.0.0-r5. |
26 | |
27 | The corrected sections appear below. |
28 | |
29 | Affected packages |
30 | ================= |
31 | |
32 | ------------------------------------------------------------------- |
33 | Package / Vulnerable / Unaffected |
34 | ------------------------------------------------------------------- |
35 | 1 x11-base/xorg-server < 1.3.0.0-r5 >= 1.3.0.0-r5 |
36 | 2 x11-libs/libXfont < 1.3.1-r1 >= 1.3.1-r1 |
37 | ------------------------------------------------------------------- |
38 | 2 affected packages on all of their supported architectures. |
39 | ------------------------------------------------------------------- |
40 | |
41 | Resolution |
42 | ========== |
43 | |
44 | All X.Org X server users should upgrade to the latest version: |
45 | |
46 | # emerge --sync |
47 | # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.3.0.0-r5" |
48 | |
49 | All X.Org Xfont library users should upgrade to the latest version: |
50 | |
51 | # emerge --sync |
52 | # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.3.1-r1" |
53 | |
54 | References |
55 | ========== |
56 | |
57 | [ 1 ] CVE-2007-5760 |
58 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5760 |
59 | [ 2 ] CVE-2007-5958 |
60 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5958 |
61 | [ 3 ] CVE-2007-6427 |
62 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6427 |
63 | [ 4 ] CVE-2007-6428 |
64 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6428 |
65 | [ 5 ] CVE-2007-6429 |
66 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6429 |
67 | [ 6 ] CVE-2008-0006 |
68 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0006 |
69 | [ 7 ] X.Org security advisory |
70 | http://lists.freedesktop.org/archives/xorg/2008-January/031918.html |
71 | |
72 | Availability |
73 | ============ |
74 | |
75 | This GLSA and any updates to it are available for viewing at |
76 | the Gentoo Security Website: |
77 | |
78 | http://security.gentoo.org/glsa/glsa-200801-09.xml |
79 | |
80 | Concerns? |
81 | ========= |
82 | |
83 | Security is a primary focus of Gentoo Linux and ensuring the |
84 | confidentiality and security of our users machines is of utmost |
85 | importance to us. Any security concerns should be addressed to |
86 | security@g.o or alternatively, you may file a bug at |
87 | http://bugs.gentoo.org. |
88 | |
89 | License |
90 | ======= |
91 | |
92 | Copyright 2008 Gentoo Foundation, Inc; referenced text |
93 | belongs to its owner(s). |
94 | |
95 | The contents of this document are licensed under the |
96 | Creative Commons - Attribution / Share Alike license. |
97 | |
98 | http://creativecommons.org/licenses/by-sa/2.5 |
File name | MIME type |
---|---|
signature.asc | application/pgp-signature |