SCIENTIFIC-LINUX-DEVEL Archives

July 2012

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Security ERRATA Low: xorg-x11-server on SL6.x i386/x86_64
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Pat Riehecky <[log in to unmask]>
Date:
Tue, 10 Jul 2012 08:59:16 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (144 lines) 
Thanks for the report!

I'll get the gnome-screensaver package put up so that this is resolved.

Pat

On 07/10/2012 07:34 AM, David Crick wrote:
> This update caused one of my machines not to launch X.
>
> Pulling the recent batch of 6.3 security updates:
>
> Machine A:
> # yum clean all
> # yum update
>
> everything went through fine.  Re-boot for good luck
> and all as normal.
>
>
> Machine B:
> # yum clean all
> # yum update
>
> dependancy conflict between xorg-x11-server and
> gnome-screensaver
>
> # yum --skip-broken
> # yum update
>
> everything else is updated
>
> # yum --remove gnome-screensaver
> # yum update
>
>   xorg-x11-server is now updated
>
> reboot.... and won't go beyond starting mouse
> console services; X is not launched.
>
> switch to a TTY:
>
> # yum downgrade xorg-x11-server
> # reboot
>
> now working again, with the older xorg-x11-server.
>
>
> Machine A *also* had gnome-screensaver
> installed, but it *didn't* kick up a dependancy
> conflict.
>
> Both machines running SL6.2 x86_64
>
>
> On Mon, Jul 9, 2012 at 4:00 PM,<[log in to unmask]>  wrote:
>> Synopsis:    Low: xorg-x11-server security and bug fix update
>> Issue Date:  2012-06-20
>> CVE Numbers: CVE-2011-4029
>>               CVE-2011-4028
>>
>>
>> X.Org is an open source implementation of the X Window System. It provides
>> the basic low-level functionality that full-fledged graphical user
>> interfaces are designed upon.
>>
>> A flaw was found in the way the X.Org server handled lock files. A local
>> user with access to the system console could use this flaw to determine the
>> existence of a file in a directory not accessible to the user, via a
>> symbolic link attack. (CVE-2011-4028)
>>
>> A race condition was found in the way the X.Org server managed temporary
>> lock files. A local attacker could use this flaw to perform a symbolic link
>> attack, allowing them to make an arbitrary file world readable, leading to
>> the disclosure of sensitive information. (CVE-2011-4029)
>>
>>
>> This update also fixes the following bugs:
>>
>> * Prior to this update, the KDE Display Manager (KDM) could pass invalid
>> 24bpp pixmap formats to the X server. As a consequence, the X server could
>> unexpectedly abort. This update modifies the underlying code to pass the
>> correct formats.
>>
>> * Prior to this update, absolute input devices, like the stylus of a
>> graphic tablet, could become unresponsive in the right-most or bottom-most
>> screen if the X server was configured as a multi-screen setup through
>> multiple "Device" sections in the xorg.conf file. This update changes the
>> screen crossing behavior so that absolute devices are always mapped across
>> all screens.
>>
>> * Prior to this update, the misleading message "Session active, not
>> inhibited, screen idle. If you see this test, your display server is broken
>> and you should notify your distributor." could be displayed after resuming
>> the system or re-enabling the display, and included a URL to an external
>> web page. This update removes this message.
>>
>> * Prior to this update, the erroneous input handling code of the Xephyr
>> server disabled screens on a screen crossing event. The focus was only on
>> the screen where the mouse was located and only this screen was updated
>> when the Xephyr nested X server was configured in a multi-screen setup.
>> This update removes this code and Xephyr now correctly updates screens in
>> multi-screen setups.
>>
>> * Prior to this update, raw events did not contain relative axis values. As
>> a consequence, clients which relied on relative values for functioning did
>> not behave as expected. This update sets the values to the original driver
>> values instead of the already transformed values. Now, raw events contain
>> relative axis values as expected.
>>
>> All users of xorg-x11-server are advised to upgrade to these updated
>> packages, which correct these issues. All running X.Org server instances
>> must be restarted for this update to take effect.
>>
>> SL6:
>>    i386
>>       xorg-x11-server-common-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-debuginfo-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-devel-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-Xdmx-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-Xephyr-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-Xnest-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-Xorg-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-Xvfb-1.10.6-1.sl6.i686.rpm
>>    noarch
>>       xorg-x11-server-source-1.10.6-1.sl6.noarch.rpm
>>    x86_64
>>       xorg-x11-server-common-1.10.6-1.sl6.x86_64.rpm
>>       xorg-x11-server-debuginfo-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-debuginfo-1.10.6-1.sl6.x86_64.rpm
>>       xorg-x11-server-devel-1.10.6-1.sl6.i686.rpm
>>       xorg-x11-server-devel-1.10.6-1.sl6.x86_64.rpm
>>       xorg-x11-server-Xdmx-1.10.6-1.sl6.x86_64.rpm
>>       xorg-x11-server-Xephyr-1.10.6-1.sl6.x86_64.rpm
>>       xorg-x11-server-Xnest-1.10.6-1.sl6.x86_64.rpm
>>       xorg-x11-server-Xorg-1.10.6-1.sl6.x86_64.rpm
>>       xorg-x11-server-Xvfb-1.10.6-1.sl6.x86_64.rpm
>>
>> - Scientific Linux Development Team


-- 
Pat Riehecky
Scientific Linux Developer

ATOM RSS1 RSS2