LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2012

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2012

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Low: xorg-x11-server on SL6.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	Pat Riehecky <[log in to unmask]>
Date:	Wed, 11 Jul 2012 08:14:02 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (143 lines)

The gnome-screensaver package was added to resolve an issue with 
conflicts.  It wasn't a security update itself, but rather a requirement 
of the new xorg package.  The gnome-screensaver package was released as 
a non-security update previously.

On 07/11/2012 01:19 AM, lefffhalm wrote:
> Hi, perhaps a stupid question, but with rsync the new security package 
> got the date Dec. 11th, 2011 which interferes with our system to delay 
> installation to servers for a day after testing on.
>
> Is there any reason why new packages are either released long after 
> creation or that they have a strange date?
>
> Cheers
> Kai
>
>
> On 2012-07-10 16:03, Pat Riehecky wrote:
>> The following packages are being added to resolve an issue with 
>> conflicts:
>>
>> i386:
>> gnome-screensaver-2.28.3-18.el6.i686.rpm
>>
>> x86_64:
>> gnome-screensaver-2.28.3-18.el6.x86_64.rpm
>>
>>
>> On 07/09/2012 10:00 AM, Patrick Riehecky wrote:
>>> Synopsis: Low: xorg-x11-server security and bug fix update
>>> Issue Date: 2012-06-20
>>> CVE Numbers: CVE-2011-4029
>>> CVE-2011-4028
>>>
>>>
>>> X.Org is an open source implementation of the X Window System. It
>>> provides
>>> the basic low-level functionality that full-fledged graphical user
>>> interfaces are designed upon.
>>>
>>> A flaw was found in the way the X.Org server handled lock files. A 
>>> local
>>> user with access to the system console could use this flaw to
>>> determine the
>>> existence of a file in a directory not accessible to the user, via a
>>> symbolic link attack. (CVE-2011-4028)
>>>
>>> A race condition was found in the way the X.Org server managed 
>>> temporary
>>> lock files. A local attacker could use this flaw to perform a symbolic
>>> link
>>> attack, allowing them to make an arbitrary file world readable,
>>> leading to
>>> the disclosure of sensitive information. (CVE-2011-4029)
>>>
>>>
>>> This update also fixes the following bugs:
>>>
>>> * Prior to this update, the KDE Display Manager (KDM) could pass 
>>> invalid
>>> 24bpp pixmap formats to the X server. As a consequence, the X server
>>> could
>>> unexpectedly abort. This update modifies the underlying code to pass 
>>> the
>>> correct formats.
>>>
>>> * Prior to this update, absolute input devices, like the stylus of a
>>> graphic tablet, could become unresponsive in the right-most or
>>> bottom-most
>>> screen if the X server was configured as a multi-screen setup through
>>> multiple "Device" sections in the xorg.conf file. This update 
>>> changes the
>>> screen crossing behavior so that absolute devices are always mapped
>>> across
>>> all screens.
>>>
>>> * Prior to this update, the misleading message "Session active, not
>>> inhibited, screen idle. If you see this test, your display server is
>>> broken
>>> and you should notify your distributor." could be displayed after
>>> resuming
>>> the system or re-enabling the display, and included a URL to an 
>>> external
>>> web page. This update removes this message.
>>>
>>> * Prior to this update, the erroneous input handling code of the Xephyr
>>> server disabled screens on a screen crossing event. The focus was 
>>> only on
>>> the screen where the mouse was located and only this screen was updated
>>> when the Xephyr nested X server was configured in a multi-screen setup.
>>> This update removes this code and Xephyr now correctly updates 
>>> screens in
>>> multi-screen setups.
>>>
>>> * Prior to this update, raw events did not contain relative axis
>>> values. As
>>> a consequence, clients which relied on relative values for functioning
>>> did
>>> not behave as expected. This update sets the values to the original
>>> driver
>>> values instead of the already transformed values. Now, raw events 
>>> contain
>>> relative axis values as expected.
>>>
>>> All users of xorg-x11-server are advised to upgrade to these updated
>>> packages, which correct these issues. All running X.Org server 
>>> instances
>>> must be restarted for this update to take effect.
>>>
>>> SL6:
>>> i386
>>> xorg-x11-server-common-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-debuginfo-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-devel-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-Xdmx-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-Xephyr-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-Xnest-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-Xorg-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-Xvfb-1.10.6-1.sl6.i686.rpm
>>> noarch
>>> xorg-x11-server-source-1.10.6-1.sl6.noarch.rpm
>>> x86_64
>>> xorg-x11-server-common-1.10.6-1.sl6.x86_64.rpm
>>> xorg-x11-server-debuginfo-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-debuginfo-1.10.6-1.sl6.x86_64.rpm
>>> xorg-x11-server-devel-1.10.6-1.sl6.i686.rpm
>>> xorg-x11-server-devel-1.10.6-1.sl6.x86_64.rpm
>>> xorg-x11-server-Xdmx-1.10.6-1.sl6.x86_64.rpm
>>> xorg-x11-server-Xephyr-1.10.6-1.sl6.x86_64.rpm
>>> xorg-x11-server-Xnest-1.10.6-1.sl6.x86_64.rpm
>>> xorg-x11-server-Xorg-1.10.6-1.sl6.x86_64.rpm
>>> xorg-x11-server-Xvfb-1.10.6-1.sl6.x86_64.rpm
>>>
>>> - Scientific Linux Development Team
>>
>>
>


-- 
Pat Riehecky
Scientific Linux Developer

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV