Security update for xorg-x11-server SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1610-1 Final 1 1 2017-06-19T15:46:39Z current 2017-06-19T15:46:39Z 2017-06-19T15:46:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xorg-x11-server This update for xorg-x11-server fixes the following security issues: - CVE-2017-2624: Prevent timing attack against MIT cookie. (boo#1025029) - Use arc4random to generate cookies with more randomness. (boo#1025084) - Remove unused function with use-after-free issue. (boo#1025035) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-06/msg00070.html E-Mail link for openSUSE-SU-2017:1610-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 xorg-x11-server-7.6_1.18.3-12.15.2 xorg-x11-server-extra-7.6_1.18.3-12.15.2 xorg-x11-server-sdk-7.6_1.18.3-12.15.2 xorg-x11-server-source-7.6_1.18.3-12.15.2 xorg-x11-server-7.6_1.18.3-12.15.2 as a component of openSUSE Leap 42.2 xorg-x11-server-extra-7.6_1.18.3-12.15.2 as a component of openSUSE Leap 42.2 xorg-x11-server-sdk-7.6_1.18.3-12.15.2 as a component of openSUSE Leap 42.2 xorg-x11-server-source-7.6_1.18.3-12.15.2 as a component of openSUSE Leap 42.2 It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack. CVE-2017-2624 openSUSE Leap 42.2:xorg-x11-server-7.6_1.18.3-12.15.2 openSUSE Leap 42.2:xorg-x11-server-extra-7.6_1.18.3-12.15.2 openSUSE Leap 42.2:xorg-x11-server-sdk-7.6_1.18.3-12.15.2 openSUSE Leap 42.2:xorg-x11-server-source-7.6_1.18.3-12.15.2 moderate 4 AV:L/AC:H/Au:N/C:C/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-06/msg00070.html https://www.suse.com/security/cve/CVE-2017-2624.html CVE-2017-2624 https://bugzilla.suse.com/1025029 SUSE Bug 1025029 https://bugzilla.suse.com/1025639 SUSE Bug 1025639 https://bugzilla.suse.com/1035283 SUSE Bug 1035283