Sicherheit: Mehrere Probleme in x11-server

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1427622690-10360-19

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:119
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : x11-server
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated x11-server packages fix security vulnerabilities:

Ilja van Sprundel of IOActive discovered several security issues in the
X.org X server, which may lead to privilege escalation or denial of
service (CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094,
CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098,
CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102).

Olivier Fourdan from Red Hat has discovered a protocol handling
issue in the way the X server code base handles the XkbSetGeometry
request, where the server trusts the client to send valid string
lengths. A malicious client with string lengths exceeding the
request length can cause the server to copy adjacent memory data
into the XKB structs. This data is then available to the client via
the XkbGetGeometry request. This can lead to information disclosure
issues, as well as possibly a denial of service if a similar request
can cause the server to crash (CVE-2015-0255).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255
http://advisories.mageia.org/MGASA-2014-0532.html
http://advisories.mageia.org/MGASA-2015-0073.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
d9de24245bf452fa208ce722ce58c0c4
mbs2/x86_64/x11-server-1.14.5-3.1.mbs2.x86_64.rpm
ef5ee1a16e59ffae7778412941fb93e4
mbs2/x86_64/x11-server-common-1.14.5-3.1.mbs2.x86_64.rpm
a27cff3cf97c4361132359441b13fd58
mbs2/x86_64/x11-server-devel-1.14.5-3.1.mbs2.x86_64.rpm
407b8d00033478227c18f2b6f9c7b387
mbs2/x86_64/x11-server-source-1.14.5-3.1.mbs2.noarch.rpm
6672056e57197215ab30be5763ce9422
mbs2/x86_64/x11-server-xdmx-1.14.5-3.1.mbs2.x86_64.rpm
864929bb7acad38a28cb8f126b440600
mbs2/x86_64/x11-server-xephyr-1.14.5-3.1.mbs2.x86_64.rpm
a29866186220c8f71eb18486a132ae57
mbs2/x86_64/x11-server-xfake-1.14.5-3.1.mbs2.x86_64.rpm
866e5323ec9efd6857e8ec83d3109ac2
mbs2/x86_64/x11-server-xfbdev-1.14.5-3.1.mbs2.x86_64.rpm
65906a705206237aab0303b5dd9358d8
mbs2/x86_64/x11-server-xnest-1.14.5-3.1.mbs2.x86_64.rpm
3840ccdf06db9d53914af96cee6e487d
mbs2/x86_64/x11-server-xorg-1.14.5-3.1.mbs2.x86_64.rpm
8d9de7a9081ec613edac5e27b339af24
mbs2/x86_64/x11-server-xvfb-1.14.5-3.1.mbs2.x86_64.rpm
5bb951907ff0d8ae6087f812d8cf069b
mbs2/SRPMS/x11-server-1.14.5-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7vNmqjQ0CJFipgRApeZAJoDcvfgKg1km5JKQz+iWRo/aZbCPgCg5PEC
rUnw2V62YoeD+/u29uMFLxs=
=0EhW
-----END PGP SIGNATURE-----

------------=_1427622690-10360-19
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________

------------=_1427622690-10360-19--