Summary: | <x11-base/xorg-server-1.19.4: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | x11 |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://lists.x.org/archives/xorg-announce/2017-October/002809.html | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: |
x11-base/xorg-server-1.19.5
|
Runtime testing required: | --- |
Bug Depends on: | 635974 | ||
Bug Blocks: | 493294, 611350 |
Description
D'juan McDonald (domhnall)
2017-10-10 06:10:00 UTC
1.19.4 has been in tree for 5 days.. I can't personally call for stable though, before I've looked into bug 633530 (help welcome) We should be able to proceed now. Stable on amd64 Withdrawing stabilization, as there's a regression fix in just released xorg-server-1.19.5 and more security fixes. So we should target that instead and do it all at once, I think. Especially due to the regression in 1.19.4 (but I don't know its severity). https://lists.x.org/archives/xorg-devel/2017-October/054871.html Version bumped to 1.19.5 @arches, please test and mark for stable, thank you. stabilization target =x11-base/xorg-server-1.19.4 see comment #5... We have concluded together with Matt, that we can proceed with 1.19.5. Bug 633530 seems to be an eudev issue now -- mixing of stable eudev with testing eudev, so not affecting full stable tree for security. The first fixed version in tree was 1.19.4 as it's related to the reported CVE. The stabilization target can be different, but the record should reflect the actual fixed ebuild. amd64 stable ia64 stable ppc/ppc64 stable (thanks to ernsteiswuerfel) x86 stable Stable on alpha. arm stable (In reply to Aaron Bauman from comment #10) > The first fixed version in tree was 1.19.4 as it's related to the reported > CVE. The stabilization target can be different, but the record should > reflect the actual fixed ebuild. there should be a record for the CVEs 1.19.5 fixed, and I suggested it be here and suggested them to be added here. hppa stable @maintainers, please clean the vulnerable versions. (In reply to Mart Raudsepp from comment #17) > (In reply to Aaron Bauman from comment #10) > > The first fixed version in tree was 1.19.4 as it's related to the reported > > CVE. The stabilization target can be different, but the record should > > reflect the actual fixed ebuild. > > there should be a record for the CVEs 1.19.5 fixed, and I suggested it be > here and suggested them to be added here. Sure. Another bug can be opened to track if you want. New GLSA request filed. This issue was resolved and addressed in GLSA 201710-30 at https://security.gentoo.org/glsa/201710-30 by GLSA coordinator Aaron Bauman (b-man). re-opened for cleanup sparc stable (thanks to Rolf Eike Beer) Vulnerable versions removed in commit 67af98328e08ad9e53a857d1b51c9ecea8716ead Author: Matt Turner <mattst88@gentoo.org> Date: Mon Oct 30 18:44:14 2017 -0700 x11-base/xorg-server: Drop vulnerable versions |