Gentoo: GLSA-202303-06 Urgent: OpenSSL Vulnerability Exposure Risk
gentoo
April 10, 2017
Multiple vulnerabilities have been found in X.Org server and libraries, the worse of which allowing local attackers to execute arbitrary code
Summary
Multiple vulnerabilities have been discovered in X.Org server and libraries. Please review the CVE identifiers referenced below for details.
Topics Covered
Resolution
All X.Org-server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-1.19.2"
All libICE users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libICE-1.0.9-r1"
All libXdmcp users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXdmcp-1.1.2-r1"
All libXrender users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXrender-0.9.10"
All libXi users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXi-1.7.7"
All libXrandr users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXrandr-1.5.1"
All libXfixes users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXfixes-5.0.3"
All libXv users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXv-1.0.11"
All libICE users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libICE-1.0.9-r1"
All libXdmcp users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXdmcp-1.1.2-r1"
All libXrender users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXrender-0.9.10"
All libXi users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXi-1.7.7"
All libXrandr users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXrandr-1.5.1"
All libXfixes users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXfixes-5.0.3"
All libXv users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXv-1.0.11"
References
[ 1 ] CVE-2016-5407 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5407 [ 2 ] CVE-2016-7942 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7942 [ 3 ] CVE-2016-7943 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7943 [ 4 ] CVE-2016-7944 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7944 [ 5 ] CVE-2016-7945 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7945 [ 6 ] CVE-2016-7946 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7946 [ 7 ] CVE-2016-7947 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7947 [ 8 ] CVE-2016-7948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7948 [ 9 ] CVE-2016-7949 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7949 [ 10 ] CVE-2016-7950 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7950 [ 11 ] CVE-2016-7953 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7953 [ 12 ] CVE-2017-2624 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2624 [ 13 ] CVE-2017-2625 http://nvd.nist.gov/nvd.cfm?cvena...
Read the Full AdvisoryAvailability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website: https://security.gentoo.org/glsa/201704-03
style>.gentoo_availability{display:block;}
Concerns
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
PREVIOUS 
NEXT Severity: High
Title: X.Org: Multiple vulnerabilities
Date: April 10, 2017
Bugs: #596182, #611350, #611352, #611354
ID: 201704-03
Topics Covered
Background
X.Org X servers
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Affected Packages
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 x11-base/xorg-server < 1.19.2 >= 1.19.2 2 x11-libs/libICE < 1.0.9-r1 >= 1.0.9-r1 3 x11-libs/libXdmcp < 1.1.2-r1 >= 1.1.2-r1 4 x11-libs/libXrender < 0.9.10 >= 0.9.10 5 x11-libs/libXi < 1.7.7 >= 1.7.7 6 x11-libs/libXrandr < 1.5.1 >= 1.5.1 7 x11-libs/libXfixes < 5.0.3 >= 5.0.3 8 x11-libs/libXv < 1.0.11 >= 1.0.11 ------------------------------------------------------------------- 8 affected packages
Impact
=====
A local or remote users can utilize the vulnerabilities to attach to
the X.Org session as a user and execute arbitrary code.
Workaround
There is no known workaround at this time.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!