From 9814e8fa3ec3a028320f2e64be31c03bbd4dd2e8 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Thu, 25 Oct 2018 18:29:01 +0200 Subject: [PATCH] xorg-server: Update version from 1.20.2 to 1.20.3 Announcement: > Fixes CVE-2018-14665 (local file overwrite bugs), and a trivial fix in > fbdevhw initialization. All users are advised to upgrade. Thanks to > Narendra Shinde and Thomas Hoger for the report, and Matthieu Herrb for > the fix. > > Adam Jackson (1): > xserver 1.20.3 > > Matthieu Herrb (2): > Disable -logfile and -modulepath when running with elevated privileges > LogFilePrep: add a comment to the unsafe format string. > > Peter Hutterer (1): > xfree86: fix readlink call We are probably not affected, as our Xorg binary is not Suid. $ ls -lh /usr/bin/Xorg -rwxr-xr-x 1 root root 273 Oct 25 18:58 /usr/bin/Xorg From *X.Org security advisory: October 25, 2018*: > Workaround > ========== > > If a patched version of the X server is not available, X.Org > recommends to remove the setuid bit (ie chmod 755) of the installed > Xorg binary. Note that this can cause issues if people are starting > the X window system using the 'startx', 'xinit' commands or variations > thereof. > > X.Org recommends the use of a display manager to start X sessions, > which does not require Xorg to be installed setuid. --- xorg-server.be0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xorg-server.be0 b/xorg-server.be0 index 246595e78..e157a8e51 100755 --- a/xorg-server.be0 +++ b/xorg-server.be0 @@ -1,6 +1,6 @@ #!/usr/bin/env beesh -# BEE_VERSION xorg-server-1.20.2-0 +# BEE_VERSION xorg-server-1.20.3-0 ## this file was created by bee init and should be executed to build a ## bee-package. (Additional hints are located at the end of this file.)