Debian Bug report logs -
#856398
xorg-server: CVE-2017-2624: Timing attack against MIT Cookie
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 28 Feb 2017 15:51:02 UTC
Severity: important
Tags: security, upstream
Found in version xorg-server/2:1.16.4-1
Fixed in version xorg-server/2:1.19.2-1
Done: Emilio Pozuelo Monfort <pochu@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#856398; Package src:xorg-server.
(Tue, 28 Feb 2017 15:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>.
(Tue, 28 Feb 2017 15:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xorg-server
Version: 2:1.16.4-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for xorg-server.
CVE-2017-2624[0]:
Timing attack against MIT Cookie
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2624
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility.
(Fri, 03 Mar 2017 15:06:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 03 Mar 2017 15:06:06 GMT) (full text, mbox, link).
Message #10 received at 856398-close@bugs.debian.org (full text, mbox, reply):
Source: xorg-server
Source-Version: 2:1.19.2-1
We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 856398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated xorg-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 03 Mar 2017 15:41:15 +0100
Source: xorg-server
Binary: xserver-xorg-core xserver-xorg-core-udeb xserver-xorg-dev xdmx xdmx-tools xnest xvfb xserver-xephyr xserver-common xorg-server-source xwayland xserver-xorg-legacy
Architecture: source
Version: 2:1.19.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
xdmx - distributed multihead X server
xdmx-tools - Distributed Multihead X tools
xnest - Nested X server
xorg-server-source - Xorg X server - source files
xserver-common - common files used by various X servers
xserver-xephyr - nested X server
xserver-xorg-core - Xorg X server - core server
xserver-xorg-core-udeb - Xorg X server - core server (udeb)
xserver-xorg-dev - Xorg X server - development files
xserver-xorg-legacy - setuid root Xorg server wrapper
xvfb - Virtual Framebuffer 'fake' X server
xwayland - Xwayland X server
Closes: 852584 856398
Changes:
xorg-server (2:1.19.2-1) unstable; urgency=medium
.
[ Andreas Boll ]
* xserver-xorg-core.bug.script: Change udevadm path from /sbin to /bin
(Closes: #852584).
.
[ Emilio Pozuelo Monfort ]
* New upstream stable release.
- CVE-2017-2624: Timing attack against MIT cookie. Closes: #856398.
* control: Build-depend on libbsd-dev everywhere, needed for
arc4random_buf for the above fix.
Checksums-Sha1:
8e4b51728a92982a54b6329d0992e1f338a50d7b 4815 xorg-server_1.19.2-1.dsc
3648335593b9d267e44737b89694d38b99e3aee4 8321615 xorg-server_1.19.2.orig.tar.gz
b8fe553e65497b9a9ca8e6926d7508e9495d57ef 138162 xorg-server_1.19.2-1.diff.gz
ff8eec207b2b8d92fb268822bd80acdf271b4575 9642 xorg-server_1.19.2-1_source.buildinfo
Checksums-Sha256:
e71c0d6989af82956394849d6ce5fd5d0cea4c82356f745dcc5199de47da13e9 4815 xorg-server_1.19.2-1.dsc
191d91d02c059c66747635e145c30bc1004e703fe3b74439e26c0d05d5c4d28b 8321615 xorg-server_1.19.2.orig.tar.gz
f8ee3935bcc4122184a3e0d178cf10d6bd9ceb3610f5584ad38ad3d2dfc1961f 138162 xorg-server_1.19.2-1.diff.gz
ecb9a782a99fe3103467a1f01ec13b4cce5adff8b0a281875013d16f72ff6a60 9642 xorg-server_1.19.2-1_source.buildinfo
Files:
a32532a026ee82b6064234bcd0132731 4815 x11 optional xorg-server_1.19.2-1.dsc
dfa411de6ce6fe35128d3b2e06941135 8321615 x11 optional xorg-server_1.19.2.orig.tar.gz
7cfb576542d7a0485d439e7fa318f451 138162 x11 optional xorg-server_1.19.2-1.diff.gz
e98688b8891fbc6238acd6c42dd3e44a 9642 x11 optional xorg-server_1.19.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAli5gKAACgkQnUbEiOQ2
gwKejw/+PCYZOGWgDXvC7HrOQr4qplgZQDO3L5l+nNgirsN/blimoxm+ZQlREGpv
FM7eTSkkDQRP/S1S0kaqyBtrgn+CwKiIOTakcX3nUC+M1Hcqqn4dHkffogYHm5dV
Tpd1OWyn7qJqdr7wWDhHcym9+cwVdHewxsXhy3ZBJPjh4NV1zPDmdvZF3qZs43mh
IeKYj06zQDgEcD0+SqqrSfoTi0H9Du7I38uQuRpOXZJZiAlw9ZTuKQ/NI8kUZgWv
4IKpZ4DJeVrG4BRlzoGtif9zWmT9j85QNJIKLkc+SDcIagb+kfgilgEzRINXV7Vy
UnM9XSCsynwW6+4t97cyNwFG6LurXzBRS4jp94+Mg6ottg+lGsS6GjPLceXfoTMA
9wWbtoVZxJDdxpVeyn8LS2D4cDdsK632IvCcKQjM08byDOwjFsiW+lMl7kt0W72E
tZ6rzS9YVidA3BD2N2Bb9mF8dPuZ70lXyMQs99xE/u1RTSM1mVe8xEhdzfwmsPZU
/MNB8R7cm7mtTwtZPtg+Xc8UXAzMfOIoFr4xUybBJAHm8WiNwo7TmoiQUilYTHde
VSh6yTuHpzbGrQZl/Yuql8+F5R56H8zqXAmRWz6ZezWb9xk41QdQA8BcH58hLbc5
yYTwMK867tBWQBoEqmAnsAvZlGFC8CiBoDP559euRfrinKpY2aU=
=rh+r
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 08 Apr 2017 07:32:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:00:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon