| Description: | Summary:
The remote host is missing an update for the 'xorg-x11-server' package(s) announced via the SUSE-SU-2014:0744-1 advisory.
Vulnerability Insight:
This is a SLES 11 SP1 LTSS rollup update for the X.Org Server package.
The following security issues have been fixed:
* CVE-2013-6424: Integer underflow in the xTrapezoidValid macro in
render/picture.h in X.Org allowed context-dependent attackers to
cause a denial of service (crash) via a negative bottom value.
* CVE-2013-4396: Use-after-free vulnerability in the doImageText
function in dix/dixfonts.c in the xorg-server module before 1.14.4
in X.Org X11 allowed remote authenticated users to cause a denial of
service (daemon crash) or possibly execute arbitrary code via a
crafted ImageText request that triggers memory-allocation failure.
* CVE-2013-1940: X.Org X server did not properly restrict access to
input events when adding a new hot-plug device, which might have
allowed physically proximate attackers to obtain sensitive
information, as demonstrated by reading passwords from a tty.
The following non-security issues have been fixed:
* rfbAuthReenable is accessing rfbClient structure that was in most
cases already freed. It actually needs only ScreenPtr, so pass it
directly. (bnc#816813)
* Memory leaks in ARGB cursor handling. (bnc#813178, bnc#813683)
Security Issues:
* CVE-2013-1940
* CVE-2013-4396
* CVE-2013-6424
Affected Software/OS:
'xorg-x11-server' package(s) on SUSE Linux Enterprise Server 11-SP1.
Solution:
Please install the updated package(s).
CVSS Score:
6.5
CVSS Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
