xorg-server (2:21.1.7-3+deb12u7) bookworm-security; urgency=high * render: Avoid possible double-free in ProcRenderAddGlyphs() -- Julien Cristau <jcristau@debian.org> Wed, 10 Apr 2024 11:02:46 +0200 xorg-server (2:21.1.7-3+deb12u6) bookworm-security; urgency=high * CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents * CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice * CVE-2024-31082: Heap buffer overread/data leakage in ProcAppleDRICreatePixmap * CVE-2024-31083: User-after-free in ProcRenderAddGlyphs -- Julien Cristau <jcristau@debian.org> Thu, 04 Apr 2024 11:59:35 +0200 xorg-server (2:21.1.7-3+deb12u5) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. * Xi: require a pointer and keyboard device for XIAttachToMaster * dix: allocate enough space for logical button maps (CVE-2023-6816) * dix: Allocate sufficient xEvents for our DeviceStateNotify (CVE-2024-0229) * dix: fix DeviceStateNotify event calculation (CVE-2024-0229) * Xi: when creating a new ButtonClass, set the number of buttons (CVE-2024-0229) * Xi: flush hierarchy events after adding/removing master devices (CVE-2024-21885) * Xi: do not keep linked list pointer during recursion (CVE-2024-21886) * dix: when disabling a master, float disabled slaved devices too (CVE-2024-21886) * ephyr,xwayland: Use the proper private key for cursor * glx: Call XACE hooks on the GLX buffer * dix: Fix use after free in input device shutdown -- Salvatore Bonaccorso <carnil@debian.org> Mon, 22 Jan 2024 07:19:15 +0100 xorg-server (2:21.1.7-3+deb12u4) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. * Sync "Xi: allocate enough XkbActions for our buttons" (CVE-2023-6377) The original upstream patch applied for CVE-2023-6377 was incomplete and still allows OOM access. This update syncs the patch with the upstream applied patch. -- Salvatore Bonaccorso <carnil@debian.org> Fri, 15 Dec 2023 06:00:53 +0100 xorg-server (2:21.1.7-3+deb12u3) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. * Xi: allocate enough XkbActions for our buttons (CVE-2023-6377) * randr: avoid integer truncation in length check of ProcRRChange*Property (CVE-2023-6478) -- Salvatore Bonaccorso <carnil@debian.org> Sat, 09 Dec 2023 12:06:17 +0100 xorg-server (2:21.1.7-3+deb12u2) bookworm-security; urgency=high * 0003-mi-fix-CloseScreen-initialization-order.patch, 0004-fb-properly-wrap-unwrap-CloseScreen.patch: drop, causes other bugs that are worse than CVE-2023-5574. -- Julien Cristau <jcristau@debian.org> Wed, 25 Oct 2023 09:35:47 +0200 xorg-server (2:21.1.7-3+deb12u1) bookworm-security; urgency=medium * present-Check-for-NULL-to-prevent-crash.patch: drop, applied upstream since 21.1.4 * Xi/randr: fix handling of PropModeAppend/Prepend (CVE-2023-5367) * mi: reset the PointerWindows reference on screen switch (CVE-2023-5380) * mi: fix CloseScreen initialization order * fb: properly wrap/unwrap CloseScreen (CVE-2023-5574) -- Julien Cristau <jcristau@debian.org> Mon, 23 Oct 2023 19:26:14 +0200 xorg-server (2:21.1.7-3) unstable; urgency=medium * Enable DRI2 for the udeb build, needed in addition to DRM support since 9c81b8f5b5 to build the modesetting driver. This fixes failures to start X in the graphical installer under UTM (Closes: #1035014). Thanks to Keith Toh for the report and the follow-up tests! -- Cyril Brulebois <kibi@debian.org> Wed, 03 May 2023 03:41:41 +0200 xorg-server (2:21.1.7-2) unstable; urgency=high * composite: Fix use-after-free of the COW ZDI-CAN-19866/CVE-2023-1393 -- Julien Cristau <jcristau@debian.org> Wed, 29 Mar 2023 15:11:07 +0200 xorg-server (2:21.1.7-1) unstable; urgency=medium * New upstream release + Xi: fix potential use-after-free in DeepCopyPointerClasses (CVE-2023-0494, closes: #1030777) -- Julien Cristau <jcristau@debian.org> Tue, 07 Feb 2023 14:15:45 +0100 xorg-server (2:21.1.6-1) unstable; urgency=medium * New upstream release. * patches: Drop upstreamed patches. * Add signing-key from Olivier Fourdan. -- Timo Aaltonen <tjaalton@debian.org> Thu, 05 Jan 2023 16:02:46 +0200 xorg-server (2:21.1.5-1) unstable; urgency=medium * New upstream release. - CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344, CVE-2022-46283 * Add signing-key from Peter Hutterer. -- Timo Aaltonen <tjaalton@debian.org> Wed, 14 Dec 2022 11:10:24 +0200 xorg-server (2:21.1.4-3) unstable; urgency=medium * xkb: proof GetCountedString against request length attacks (CVE-2022-3550) * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551) -- Emilio Pozuelo Monfort <pochu@debian.org> Fri, 11 Nov 2022 13:35:13 +0100 xorg-server (2:21.1.4-2) unstable; urgency=medium * 001_fedora_extramodes.patch: Dropped, apparently obsolete since 1.5.0. (LP: #1990456) -- Timo Aaltonen <tjaalton@debian.org> Thu, 22 Sep 2022 08:53:59 +0300 xorg-server (2:21.1.4-1) unstable; urgency=medium * New upstream release. - CVE-2022-2319, CVE-2022-2320 (Closes: #1014903) -- Timo Aaltonen <tjaalton@debian.org> Mon, 25 Jul 2022 12:46:43 +0300 xorg-server (2:21.1.3-2) unstable; urgency=medium * present-Check-for-NULL-to-prevent-crash.patch: Fix a crash with nvidia 495. -- Timo Aaltonen <tjaalton@debian.org> Wed, 09 Feb 2022 12:19:09 +0200 xorg-server (2:21.1.3-1) experimental; urgency=medium * New upstream release. -- Timo Aaltonen <tjaalton@debian.org> Mon, 10 Jan 2022 17:54:12 +0200 xorg-server (2:21.1.1-2) experimental; urgency=medium * Fix serverminver. * control: Add libxcvt-dev to xserver-xorg-dev depends. -- Timo Aaltonen <tjaalton@debian.org> Sat, 27 Nov 2021 11:18:56 +0200 xorg-server (2:21.1.1-1) experimental; urgency=medium * New upstream release. * 04_compiler_h_inb_outb_mips.diff: Dropped, upstream. * Xwayland is dropped from this souce, don't try to build it. * Xdmx is gone, drop it from the build. * serverminver: Bump versions. * control: Bump x11proto-dev and libx1-dev depends. * control: Add libxcvt-dev to build-depends, xcvt to -core Recommends. * control: Bump libdrm-dev build-depends. * Update signing-key.asc. -- Timo Aaltonen <tjaalton@debian.org> Wed, 17 Nov 2021 16:31:46 +0200 xorg-server (2:1.20.14-1) unstable; urgency=medium * New upstream release. -- Timo Aaltonen <tjaalton@debian.org> Tue, 11 Jan 2022 16:21:08 +0200 xorg-server (2:1.20.13-3) unstable; urgency=high * Team upload. * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011] * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009] * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010] * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008] -- Julien Cristau <jcristau@debian.org> Tue, 14 Dec 2021 14:38:21 +0100 xorg-server (2:1.20.13-2) unstable; urgency=medium * Upload to unstable. * Disable building xwayland. -- Timo Aaltonen <tjaalton@debian.org> Sat, 27 Nov 2021 13:03:35 +0200 xorg-server (2:1.20.13-1) experimental; urgency=medium * New upstream release. -- Timo Aaltonen <tjaalton@debian.org> Tue, 10 Aug 2021 12:27:00 +0300 xorg-server (2:1.20.11-1) unstable; urgency=medium * New upstream release. - CVE-2021-3472 * Add signing key for Matt Turner. -- Timo Aaltonen <tjaalton@debian.org> Tue, 13 Apr 2021 19:07:31 +0300 xorg-server (2:1.20.10-3) unstable; urgency=medium [ Julien Cristau ] * Drop workaround for mips* FTBFS added in 2:1.20.10-1, shouldn't be necessary anymore with the change in 2:1.20.10-2. [ Sven Joachim ] * Recommend default-logind | logind rather than libpam-systemd in xserver-xorg-core (Closes: #923198). * Use mktemp rather than tempfile in xserver-xorg-legacy.postinst (Closes: #979751). * Use dpkg-vendor to get the vendor name, drop lsb-release from Build-Depends. [ Vagrant Cascadian ] * Avoid embedding the running kernel version (Closes: #976898). -- Timo Aaltonen <tjaalton@debian.org> Wed, 17 Feb 2021 11:17:43 +0200 xorg-server (2:1.20.10-2) unstable; urgency=medium * Stop defining inb/outb on mips, to fix FTBFS in some drivers with GCC 10 (closes: #978670). -- Julien Cristau <jcristau@debian.org> Wed, 06 Jan 2021 10:33:33 +0100 xorg-server (2:1.20.10-1) unstable; urgency=medium [ Timo Aaltonen ] * New upstream release. - CVE-2020-14360, CVE-2020-25712 (Closes: #976216) * Drop patches: - 0001-Revert-*: Reverted upstream in this version - revert-hw-xfree86-avoid-cursor-use-after-free.diff: Issue fixed in this version - revert-disabling-xss-for-rootless-xwayland.diff: Was resolved upstream as being a client bug * control: Add libnvidia-egl-wayland-dev to build-depends, enables EGLStream support in xwayland. [ Adrian Bunk ] * rules: Add a workaround to fix build on mips*. (Closes: #975579) -- Timo Aaltonen <tjaalton@debian.org> Wed, 02 Dec 2020 12:41:35 +0200 xorg-server (2:1.20.9-2) unstable; urgency=medium * fix-pci-probing-segfault.diff: Dropped and revert three commits instead. (Closes: #969739) -- Timo Aaltonen <tjaalton@debian.org> Thu, 24 Sep 2020 12:19:06 +0300 xorg-server (2:1.20.9-1) unstable; urgency=medium * New upstream release. - CVE-2020-14347 (Closes: #968986) * fix-pci-probing-segfault.diff: Fix a regression in 1.20.9 when probing the GPU. * revert-hw-xfree86-avoid-cursor-use-after-free.diff: Revert a commit which is causing server crashes. * revert-disabling-xss-for-rootless-xwayland.diff: Fix a regression where apps crash under Xwayland. -- Timo Aaltonen <tjaalton@debian.org> Mon, 31 Aug 2020 18:49:48 +0300 xorg-server (2:1.20.8-2) unstable; urgency=medium * rules: Exclude udeb/ from indep dh_missing. (Closes: #955399) -- Timo Aaltonen <tjaalton@debian.org> Tue, 31 Mar 2020 13:14:40 +0300 xorg-server (2:1.20.8-1) unstable; urgency=medium * New upstream release. * patches: Dropped patches applied upstream: - fix-modesetting-build.diff - add-EGL_QUERY_DRIVER-check.diff - fix-rotate-crash.diff * control: Use debhelper-compat, bump to 12. * rules: Migrate to dh_missing. -- Timo Aaltonen <tjaalton@debian.org> Mon, 30 Mar 2020 15:48:38 +0300 xorg-server (2:1.20.7-4) unstable; urgency=medium [ Jordan Justen ] * add-EGL_QUERY_DRIVER-check.diff: Add missing change from upstream to fix glamor getting the driver name from EGL. -- Timo Aaltonen <tjaalton@debian.org> Sat, 29 Feb 2020 07:05:06 +0200 xorg-server (2:1.20.7-3) unstable; urgency=medium * fix-rotate-crash.diff: Fix a crash if rotation is set on xorg.conf. (Closes: #949257) -- Timo Aaltonen <tjaalton@debian.org> Wed, 05 Feb 2020 18:27:36 +0200 xorg-server (2:1.20.7-2) unstable; urgency=medium * add-EGL_QUERY_DRIVER-check.diff: Add a check for EGL_QUERY_DRIVER to autotools. -- Timo Aaltonen <tjaalton@debian.org> Tue, 14 Jan 2020 12:13:49 +0200 xorg-server (2:1.20.7-1) unstable; urgency=medium * New upstream release. * 07_use-modesetting-driver-by-default-on-GeForce.diff: Modified to not include xf86drm.h on Hurd. (Closes: #947746) * control: Add mesa-common-dev and libx11-xcb-dev to build-depends. (Closes: #947748) * serverminver: Bump video abi minor. * fix-modesetting-build.diff: Add a missing include to fix the build. -- Timo Aaltonen <tjaalton@debian.org> Tue, 14 Jan 2020 10:50:19 +0200 xorg-server (2:1.20.6-1) unstable; urgency=medium [ Sven Joachim ] * Remove the explicit build and build-indep targets (Closes: #941128). * Exclude the directory where xorg-server.tar.xz is built from it (Closes: #930405). * Make the xorg-server-source binary package reproducible by specifying suitable options to tar when creating /tmp/xorg-server.tar.xz. * Set Rules-Requires-Root to binary-targets. * Drop dependency on dummy package libegl1-mesa (Closes: #930608). * Remove no longer used lintian overrides from version 2:1.11.2.901-1. * Bump debhelper compat level to 11. - Drop autoreconf and --parallel from the dh sequence, default since compat level 10. Remove dh-autoreconf from Build-Depends, redundant. * Drop dpkg-dev build dependency, already fulfilled in wheezy. * Add xz-utils to Build-Depends-Indep. * Fix a typo in the xvfb-run manpage. [ Timo Aaltonen ] * New upstream release. * Add signing key from Matt Turner. -- Timo Aaltonen <tjaalton@debian.org> Mon, 25 Nov 2019 11:49:09 +0200 # Older entries have been removed from this changelog. # To read the complete changelog use `apt changelog xserver-common`.
Generated by dwww version 1.15 on Thu May 23 02:11:39 CEST 2024.