According to dbkerkholz, "the mit-shm patch only does the security test on pixmaps of a certain bit depth rather than all of them" This means CVE-2007-6429 is incompletely fixed in bug 204362. http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commit;h=be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161 There is also a better fix for CVE-2007-3920, "Don't break grab and focus state for a window when redirecting it." -- The fix we had in bug 196878 is "a huge hack" to quote donnie again ;-) http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commit;h=a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b
[20:42] <dberkholz> i can get ebuilds underway later this afternoon
I'm going to go ahead and add release@ so I can track this one. Donnie has just bumped the version in the tree. <CIA-3> dberkholz * gentoo-x86/x11-base/xorg-server/ (5 files in 2 dirs):
New ebuilds in the tree -- xorg-server-1.3.0.0-r5 and xorg-server-1.4.0.90-r3. 1.3.0.0-r5 is the stable target.
Arches, please test and mark stable: =x11-base/xorg-server-1.3.0.0-r5 Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 release sh sparc x86"
x86 stable
ppc64 stable
ppc stable
Stable for HPPA.
alpha/ia64/sparc stable I can't believe amd64 didn't do this one yet...
Marked stable on amd64.
Request filed.
I would handle this as an erratum to the previous GLSA, no?
Sure I wasn' thinking straight. Could someone with ssh access to finch delete the draft I made?
This bug was fixed in release snapshot.
no stable for mips.
errata sent, thanks. http://archives.gentoo.org/gentoo-announce/msg_e75f5d493fea7c6f718a850abd59598a.xml