Security update for xorg-x11-server SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1850-1 Final 1 1 2017-07-12T14:39:03Z current 2017-07-12T14:39:03Z 2017-07-12T14:39:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xorg-x11-server This update for xorg-x11-server fixes the following issues: - CVE-2017-10971: Fix endianess handling of GenericEvent to prevent a stack overflow by clients. (bnc#1035283) - Make sure the type of all events to be sent by ProcXSendExtensionEvent are in the allowed range. - CVE-2017-10972: Initialize the xEvent eventT with zeros to avoid information leakage. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-xorg-x11-server-13206,sleposp3-xorg-x11-server-13206,slessp3-xorg-x11-server-13206,slessp4-xorg-x11-server-13206 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171850-1/ Link for SUSE-SU-2017:1850-1 https://lists.opensuse.org/opensuse-security-announce/2017-07/msg00017.html E-Mail link for SUSE-SU-2017:1850-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1035283 SUSE Bug 1035283 https://www.suse.com/security/cve/CVE-2017-10971/ SUSE CVE CVE-2017-10971 page https://www.suse.com/security/cve/CVE-2017-10972/ SUSE CVE CVE-2017-10972 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 xorg-x11-server-sdk-7.4-27.121.2 xorg-x11-Xvnc-7.4-27.121.2 xorg-x11-server-7.4-27.121.2 xorg-x11-server-extra-7.4-27.121.2 xorg-x11-Xvnc-7.4-27.121.2 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 xorg-x11-server-7.4-27.121.2 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 xorg-x11-server-extra-7.4-27.121.2 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 xorg-x11-Xvnc-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS xorg-x11-server-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS xorg-x11-server-extra-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS xorg-x11-Xvnc-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-server-extra-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA xorg-x11-Xvnc-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP4 xorg-x11-server-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP4 xorg-x11-server-extra-7.4-27.121.2 as a component of SUSE Linux Enterprise Server 11 SP4 xorg-x11-Xvnc-7.4-27.121.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 xorg-x11-server-7.4-27.121.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 xorg-x11-server-extra-7.4-27.121.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 xorg-x11-server-sdk-7.4-27.121.2 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. CVE-2017-10971 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP4:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP4:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP4:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Software Development Kit 11 SP4:xorg-x11-server-sdk-7.4-27.121.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171850-1/ https://www.suse.com/security/cve/CVE-2017-10971.html CVE-2017-10971 https://bugzilla.suse.com/1035283 SUSE Bug 1035283 https://bugzilla.suse.com/1047730 SUSE Bug 1047730 Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server. CVE-2017-10972 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Point of Sale 11 SP3:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-LTSS:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP3-TERADATA:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP4:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP4:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server 11 SP4:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-Xvnc-7.4-27.121.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-server-7.4-27.121.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:xorg-x11-server-extra-7.4-27.121.2 SUSE Linux Enterprise Software Development Kit 11 SP4:xorg-x11-server-sdk-7.4-27.121.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171850-1/ https://www.suse.com/security/cve/CVE-2017-10972.html CVE-2017-10972 https://bugzilla.suse.com/1035283 SUSE Bug 1035283 https://bugzilla.suse.com/1047730 SUSE Bug 1047730