openSUSE-SU-2017:1610-1

Опубликовано: 19 июн. 2017

Источник: suse-cvrf

Описание

Security update for xorg-x11-server

This update for xorg-x11-server fixes the following security issues:

CVE-2017-2624: Prevent timing attack against MIT cookie. (boo#1025029)
Use arc4random to generate cookies with more randomness. (boo#1025084)
Remove unused function with use-after-free issue. (boo#1025035)

Список пакетов

openSUSE Leap 42.2

xorg-x11-server-7.6_1.18.3-12.15.2

xorg-x11-server-extra-7.6_1.18.3-12.15.2

xorg-x11-server-sdk-7.6_1.18.3-12.15.2

xorg-x11-server-source-7.6_1.18.3-12.15.2

Ссылки

https://lists.opensuse.org/opensuse-updates/2017-06/msg00070.html
E-Mail link for openSUSE-SU-2017:1610-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

Затронутые продукты

openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-12.15.2

openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-12.15.2

openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-12.15.2

openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-12.15.2

Ссылки

https://www.suse.com/security/cve/CVE-2017-2624.html
CVE-2017-2624
https://bugzilla.suse.com/1025029
SUSE Bug 1025029
https://bugzilla.suse.com/1025639
SUSE Bug 1025639
https://bugzilla.suse.com/1035283
SUSE Bug 1035283

openSUSE-SU-2017:1610-1

Описание

Список пакетов

openSUSE Leap 42.2

Ссылки

Уязвимость: CVE-2017-2624

Описание

Затронутые продукты

Ссылки