-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:119 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : x11-server Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated x11-server packages fix security vulnerabilities: Ilja van Sprundel of IOActive discovered several security issues in the X.org X server, which may lead to privilege escalation or denial of service (CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102). Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request, where the server trusts the client to send valid string lengths. A malicious client with string lengths exceeding the request length can cause the server to copy adjacent memory data into the XKB structs. This data is then available to the client via the XkbGetGeometry request. This can lead to information disclosure issues, as well as possibly a denial of service if a similar request can cause the server to crash (CVE-2015-0255). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255 http://advisories.mageia.org/MGASA-2014-0532.html http://advisories.mageia.org/MGASA-2015-0073.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: d9de24245bf452fa208ce722ce58c0c4 mbs2/x86_64/x11-server-1.14.5-3.1.mbs2.x86_64.rpm ef5ee1a16e59ffae7778412941fb93e4 mbs2/x86_64/x11-server-common-1.14.5-3.1.mbs2.x86_64.rpm a27cff3cf97c4361132359441b13fd58 mbs2/x86_64/x11-server-devel-1.14.5-3.1.mbs2.x86_64.rpm 407b8d00033478227c18f2b6f9c7b387 mbs2/x86_64/x11-server-source-1.14.5-3.1.mbs2.noarch.rpm 6672056e57197215ab30be5763ce9422 mbs2/x86_64/x11-server-xdmx-1.14.5-3.1.mbs2.x86_64.rpm 864929bb7acad38a28cb8f126b440600 mbs2/x86_64/x11-server-xephyr-1.14.5-3.1.mbs2.x86_64.rpm a29866186220c8f71eb18486a132ae57 mbs2/x86_64/x11-server-xfake-1.14.5-3.1.mbs2.x86_64.rpm 866e5323ec9efd6857e8ec83d3109ac2 mbs2/x86_64/x11-server-xfbdev-1.14.5-3.1.mbs2.x86_64.rpm 65906a705206237aab0303b5dd9358d8 mbs2/x86_64/x11-server-xnest-1.14.5-3.1.mbs2.x86_64.rpm 3840ccdf06db9d53914af96cee6e487d mbs2/x86_64/x11-server-xorg-1.14.5-3.1.mbs2.x86_64.rpm 8d9de7a9081ec613edac5e27b339af24 mbs2/x86_64/x11-server-xvfb-1.14.5-3.1.mbs2.x86_64.rpm 5bb951907ff0d8ae6087f812d8cf069b mbs2/SRPMS/x11-server-1.14.5-3.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF7vNmqjQ0CJFipgRApeZAJoDcvfgKg1km5JKQz+iWRo/aZbCPgCg5PEC rUnw2V62YoeD+/u29uMFLxs= =0EhW -----END PGP SIGNATURE-----