[oi-dev] Security patch for Xorg 19.x

Aurélien Larcher aurelien.larcher at gmail.com
Wed Oct 31 15:26:36 UTC 2018 

On Wed, Oct 31, 2018 at 9:10 AM Udo Grabowski (IMK) <udo.grabowski at kit.edu>
wrote:

> On 30/10/2018 11:25, Peter Tribble wrote:
> >
> >
> > On Tue, Oct 30, 2018 at 10:13 AM Udo Grabowski (IMK) <
> udo.grabowski at kit.edu
> > <mailto:udo.grabowski at kit.edu>> wrote:
> >
> >     This Xorg patch should be immediately merged in Hipster:
> >
> >
> > It was merged and updated packages published last Thursday, by the looks
> of it:
> >
> > commit b694face8cd955399d90fae658d6a01fb1fa9c5b
> > Author: Aurelien Larcher <aurelien.larcher at gmail.com
> > <mailto:aurelien.larcher at gmail.com>>
> > Date:   Thu Oct 25 19:31:53 2018 +0200
> >
> >     xorg-server: CVE-2018-14665
> >
> >
> >
> >     <
> https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e
> >
> >
> >     That check had been part of older Xorgs ,e.g., on oi_151a9.
> >
> >     See the really nasty CVE-2018-14665:
> >     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14665>
> >     --
> > ...
> > --
> > -Peter Tribble
> > http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
>
> Indeed, didn't find x11 because I was on the wrong branch
> <https://github.com/OpenIndiana/oi-userland/tree/upstream/components>
> instead of
> <https://github.com/OpenIndiana/oi-userland/tree/oi/hipster/components>
>
> Security bugs like that completely destroy my approach of jumping
> from one 'stable' release to the next, so the only secure way is indeed
> a rolling release if you don't have enough manpower to maintain a
> cherry-picking 'stable' major-bugfix-only branch.
>

You can probably just unlock the version facet to allow update of xorg only
while keeping the rest of userland-incorporation in place.



> --
> Dr.Udo Grabowski   Inst.f.Meteorology & Climate Research IMK-ASF-SAT
> http://www.imk-asf.kit.edu/english/sat.php
> KIT - Karlsruhe Institute of Technology           http://www.kit.edu
> Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026
>
> _______________________________________________
> oi-dev mailing list
> oi-dev at openindiana.org
> https://openindiana.org/mailman/listinfo/oi-dev



-- 
---
Praise the Caffeine embeddings
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20181031/e6fef528/attachment-0005.html>

More information about the oi-dev mailing list