LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Low: xorg-x11-server on SL6.x i386/x86_64
From:	lefffhalm <[log in to unmask]>
Reply To:	lefffhalm <[log in to unmask]>
Date:	Wed, 11 Jul 2012 08:19:46 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (127 lines)

Hi, perhaps a stupid question, but with rsync the new security package 
got the date Dec. 11th, 2011 which interferes with our system to delay 
installation to servers for a day after testing on.

Is there any reason why new packages are either released long after 
creation or that they have a strange date?

Cheers
Kai


On 2012-07-10 16:03, Pat Riehecky wrote:
> The following packages are being added to resolve an issue with conflicts:
>
> i386:
> gnome-screensaver-2.28.3-18.el6.i686.rpm
>
> x86_64:
> gnome-screensaver-2.28.3-18.el6.x86_64.rpm
>
>
> On 07/09/2012 10:00 AM, Patrick Riehecky wrote:
>> Synopsis: Low: xorg-x11-server security and bug fix update
>> Issue Date: 2012-06-20
>> CVE Numbers: CVE-2011-4029
>> CVE-2011-4028
>>
>>
>> X.Org is an open source implementation of the X Window System. It
>> provides
>> the basic low-level functionality that full-fledged graphical user
>> interfaces are designed upon.
>>
>> A flaw was found in the way the X.Org server handled lock files. A local
>> user with access to the system console could use this flaw to
>> determine the
>> existence of a file in a directory not accessible to the user, via a
>> symbolic link attack. (CVE-2011-4028)
>>
>> A race condition was found in the way the X.Org server managed temporary
>> lock files. A local attacker could use this flaw to perform a symbolic
>> link
>> attack, allowing them to make an arbitrary file world readable,
>> leading to
>> the disclosure of sensitive information. (CVE-2011-4029)
>>
>>
>> This update also fixes the following bugs:
>>
>> * Prior to this update, the KDE Display Manager (KDM) could pass invalid
>> 24bpp pixmap formats to the X server. As a consequence, the X server
>> could
>> unexpectedly abort. This update modifies the underlying code to pass the
>> correct formats.
>>
>> * Prior to this update, absolute input devices, like the stylus of a
>> graphic tablet, could become unresponsive in the right-most or
>> bottom-most
>> screen if the X server was configured as a multi-screen setup through
>> multiple "Device" sections in the xorg.conf file. This update changes the
>> screen crossing behavior so that absolute devices are always mapped
>> across
>> all screens.
>>
>> * Prior to this update, the misleading message "Session active, not
>> inhibited, screen idle. If you see this test, your display server is
>> broken
>> and you should notify your distributor." could be displayed after
>> resuming
>> the system or re-enabling the display, and included a URL to an external
>> web page. This update removes this message.
>>
>> * Prior to this update, the erroneous input handling code of the Xephyr
>> server disabled screens on a screen crossing event. The focus was only on
>> the screen where the mouse was located and only this screen was updated
>> when the Xephyr nested X server was configured in a multi-screen setup.
>> This update removes this code and Xephyr now correctly updates screens in
>> multi-screen setups.
>>
>> * Prior to this update, raw events did not contain relative axis
>> values. As
>> a consequence, clients which relied on relative values for functioning
>> did
>> not behave as expected. This update sets the values to the original
>> driver
>> values instead of the already transformed values. Now, raw events contain
>> relative axis values as expected.
>>
>> All users of xorg-x11-server are advised to upgrade to these updated
>> packages, which correct these issues. All running X.Org server instances
>> must be restarted for this update to take effect.
>>
>> SL6:
>> i386
>> xorg-x11-server-common-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-debuginfo-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-devel-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-Xdmx-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-Xephyr-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-Xnest-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-Xorg-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-Xvfb-1.10.6-1.sl6.i686.rpm
>> noarch
>> xorg-x11-server-source-1.10.6-1.sl6.noarch.rpm
>> x86_64
>> xorg-x11-server-common-1.10.6-1.sl6.x86_64.rpm
>> xorg-x11-server-debuginfo-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-debuginfo-1.10.6-1.sl6.x86_64.rpm
>> xorg-x11-server-devel-1.10.6-1.sl6.i686.rpm
>> xorg-x11-server-devel-1.10.6-1.sl6.x86_64.rpm
>> xorg-x11-server-Xdmx-1.10.6-1.sl6.x86_64.rpm
>> xorg-x11-server-Xephyr-1.10.6-1.sl6.x86_64.rpm
>> xorg-x11-server-Xnest-1.10.6-1.sl6.x86_64.rpm
>> xorg-x11-server-Xorg-1.10.6-1.sl6.x86_64.rpm
>> xorg-x11-server-Xvfb-1.10.6-1.sl6.x86_64.rpm
>>
>> - Scientific Linux Development Team
>
>

-- 
  ____________________________________________________________
  Kai Leffhalm
   |Desy-Zeuthen               |E-Mail: [log in to unmask]
   |Platanenallee 6            |Phone:  +49 33762 7-7159
   |D-15738 Zeuthen            |Fax:    +49 33762 7-7216

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV