Your message dated Wed, 09 May 2007 10:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#422936: fixed in xorg-server 2:1.3.0.0.dfsg-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: xorg-server
Severity: important
Hi,
CVE-2007-2437 came out recently, and its description reads:
The X render (Xrender) extension in X.org X Window System 7.0, 7.1,
and 7.2, with Xserver 1.3.0 and earlier, allows remote authenticated
users to cause a denial of service (daemon crash) via crafted values
to the (1) XRenderCompositeTrapezoids and (2) XRenderAddTraps
functions, which trigger a divide-by-zero error.
More information can be found here:
http://xforce.iss.net/xforce/xfdb/33976
http://www.rapid7.com/advisories/R7-0027.jsp
http://www.securitytracker.com/id?1017984
According to the information referenced there the solution is to
"Upgrade to the latest version of X.Org Server (7.2 with Xserver 1.3.1
or later), available from the X.Org Foundation Web site"
Please include the CVE reference in any changelogs that reference this
issue.
Thanks!
Micah
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: xorg-server
Source-Version: 2:1.3.0.0.dfsg-4
We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive:
xdmx-tools_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xdmx-tools_1.3.0.0.dfsg-4_i386.deb
xdmx_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xdmx_1.3.0.0.dfsg-4_i386.deb
xnest_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xnest_1.3.0.0.dfsg-4_i386.deb
xorg-server_1.3.0.0.dfsg-4.diff.gz
to pool/main/x/xorg-server/xorg-server_1.3.0.0.dfsg-4.diff.gz
xorg-server_1.3.0.0.dfsg-4.dsc
to pool/main/x/xorg-server/xorg-server_1.3.0.0.dfsg-4.dsc
xprint-common_1.3.0.0.dfsg-4_all.deb
to pool/main/x/xorg-server/xprint-common_1.3.0.0.dfsg-4_all.deb
xprint_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xprint_1.3.0.0.dfsg-4_i386.deb
xserver-xephyr_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xserver-xephyr_1.3.0.0.dfsg-4_i386.deb
xserver-xorg-core-dbg_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xserver-xorg-core-dbg_1.3.0.0.dfsg-4_i386.deb
xserver-xorg-core_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xserver-xorg-core_1.3.0.0.dfsg-4_i386.deb
xserver-xorg-dev_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xserver-xorg-dev_1.3.0.0.dfsg-4_i386.deb
xvfb_1.3.0.0.dfsg-4_i386.deb
to pool/main/x/xorg-server/xvfb_1.3.0.0.dfsg-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <[EMAIL PROTECTED]> (supplier of updated xorg-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 09 May 2007 02:11:08 +0200
Source: xorg-server
Binary: xserver-xephyr xprint xserver-xorg-core xvfb xserver-xorg-dev xdmx
xprint-common xdmx-tools xserver-xorg-core-dbg xnest
Architecture: source i386 all
Version: 2:1.3.0.0.dfsg-4
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <[EMAIL PROTECTED]>
Description:
xdmx - Distributed Multihead X server
xdmx-tools - Distributed Multihead X tools
xnest - Nested X server
xprint - Xprint - the X11 print system (binary)
xprint-common - Xprint - the X11 print system (configuration files)
xserver-xephyr - Next Generation Nested X Server
xserver-xorg-core - X.Org X server -- core server
xserver-xorg-core-dbg - Xorg - the X.Org X server (debugging symbols)
xserver-xorg-dev - X.Org X server -- development files
xvfb - Virtual Framebuffer 'fake' X server
Closes: 422936
Changes:
xorg-server (2:1.3.0.0.dfsg-4) unstable; urgency=low
.
* Cherry-pick patch from upstream git to fix security issue in the Xrender
extension: malicious clients can cause a division by zero in the server
(closes: #422936). Reference: CVE-2007-2437. Thanks, Micah Anderson!
Files:
51dfc7b6def354b2e4a2961860779007 2322 x11 optional
xorg-server_1.3.0.0.dfsg-4.dsc
26cda23ce0dc0829adcf379ab2ff2941 574528 x11 optional
xorg-server_1.3.0.0.dfsg-4.diff.gz
ad0c37a2ac30479114210eaee5190d4c 262036 x11 optional
xprint-common_1.3.0.0.dfsg-4_all.deb
8959e0c0a889b15d61929b339ab0ba8c 3578650 x11 optional
xserver-xorg-core_1.3.0.0.dfsg-4_i386.deb
f83fbd8dd2146b9865c451b41007763a 310104 x11 optional
xserver-xorg-dev_1.3.0.0.dfsg-4_i386.deb
fb26ac1e79eaa374e7144c270174aa0a 786956 x11 optional
xdmx_1.3.0.0.dfsg-4_i386.deb
c415f720ad9499a5e4ad0a9aaecad7b9 82668 x11 optional
xdmx-tools_1.3.0.0.dfsg-4_i386.deb
2827fc51a1a389eace52bb4694e76f3b 1393406 x11 optional
xnest_1.3.0.0.dfsg-4_i386.deb
277e3edc88207a1fa0301553b31f9e48 1541848 x11 optional
xvfb_1.3.0.0.dfsg-4_i386.deb
8f57437daab623e9394b54b1d4a8875d 1570850 x11 optional
xserver-xephyr_1.3.0.0.dfsg-4_i386.deb
6169b3c820f8e6e94215fecdeb0dc667 1614612 x11 optional
xprint_1.3.0.0.dfsg-4_i386.deb
78dbe87febb859cf28d5c71143a9622b 12152158 x11 extra
xserver-xorg-core-dbg_1.3.0.0.dfsg-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGQaGgmEvTgKxfcAwRAjUMAJ493/YH/grHlICaDEqKKG8TJbsjxwCfYoXH
84ybGYtjuhEikf8B6Gl7+pI=
=fihq
-----END PGP SIGNATURE-----
--- End Message ---
