-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ cross posted to several FreeBSD lists. Please keep replies to x11_at_FreeBSD.org ] Hi! As some of you are aware, the X.org project posted a security advisory on October 25 regarding a vulnerability in xorg-server [1]. This has been given the identifier CVE-2018-14665 [2]. The version of xorg-server in the FreeBSD ports tree is not vulnerable. In short, there is a vulnerability in versions 1.19 through 1.20.2 of xorg-server, when installed setuid root, which allows an attacker to overwrite or create any file on the system. By using this vulnerability, a local user can gain root privileges. There are several articles about this [3] [4]. The code in question was introduced on xorg-server 1.19, and as FreeBSD is still using xorg-server 1.18.4 we are not vulnerable to this issue. If you have questions or comments regarding this, don't hesitate to contact me or to send a message to the x11_at_FreeBSD.org mailing list. Regards - -- Niclas Zeising FreeBSD X11/Graphics Team [1] https://lists.x.org/archives/xorg-announce/2018-October/002927.html [2] https://nvd.nist.gov/vuln/detail/CVE-2018-14665 [3] https://arstechnica.com/information-technology/2018/10/x-org-bug-that-gives-attackers-root-bites-openbsd-and-other-big-name-oses/ [4] https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+Ll/478KgNjo+JKEu41LV7uLVVEFAlvU0WMACgkQu41LV7uL VVGgBw/+O7pIgdU5IvommsSetDAHPmdq3wy2j5mnWTjZXxz4qRe6pVJ6a0hJdkLw 8eSZGvPSo05Tnzk3Vx0cFdZ0hPIxm6Yp7dDpO6sXKDlxQrqDoxjPkjGMPj0897F+ 4hw7RWW9O5EEDlBHjL8+Uektkk2N7MjrlbNc2IZ+eHnH8XjQ5yDOFHT9NKLeAZeP ReJR/kN/+tW9VtzJtolk7vnksc8OF8ortsPX7dEXzoc1uHwppEoDlwQZrVRVuyCk j6JzrOthEVEnxvdvVmcQueijhzKE/2g1Ix82gYEfcHA1172kMWJka1m9Og2mKGqW 8aqKilpCv6koPXtWACeG5P8nG9+SpDH6HMhjpjQqdKG80x+0I9dbAu5mL9fTVKjp iFcY+8EQzsUYHEkvS9qk4dgiMR7MMXPM3JtOQOQ94hjoFcIp9toqeDr9U2DuRxAS LC4EQ1heaiqEtlCOMfkX5BExpBQ3fs+JrTqcDtIHujp7Cv8p19fhmehoXc3hzL0z xco1ubCOmLmR6Yed+BUxBcguMn37vE6KXDMoW0yQ/jmYt9a4EtECh/bTun81DZwN gEaFqutcnxzX1AWrYv92VT65OnA9pFXjmb4oU9OQRAiwnP7a8Is0nc7fnSrdtO/Y CoHWnZKI3hoMMWSXsfEc67RNtJyUnnGLHVvIt1VWrkL1+/WCm6k= =xBK6 -----END PGP SIGNATURE-----Received on Sat Oct 27 2018 - 19:00:24 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:19 UTC