-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1295
                        xorg-server security update
                               16 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xorg-server
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3472  

Reference:         ESB-2021.1283
                   ESB-2021.1227

Original Bulletin: 
   http://www.debian.org/lts/security/2021/dla-2627

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2627-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
April 15, 2021                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : xorg-server
Version        : 2:1.19.2-1+deb9u8
CVE ID         : CVE-2021-3472

Jan-Niklas Sohn discovered that there was an input validation failure
in the X.Org display server.

Insufficient checks on the lengths of the XInput extension's
ChangeFeedbackControl request could have lead to out of bounds memory
accesses in the X server. These issues can lead to privilege
escalation for authorised clients, particularly on systems where the
X server is running as a privileged user.

For Debian 9 "Stretch", this problem has been fixed in version
2:1.19.2-1+deb9u8.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmB4E6AACgkQHpU+J9Qx
Hlj6qw//ZBpTkP0Af19OglE2NR3AujsTErxp4lI8sc5LwOlXtnfcVFEpl4kpLBpR
suMrlmkryaedBBl0Zeq8qnoimuMPdhiTing+77I1YW7hNfhwZJdDjLsoVFG5qXe6
D9/fD683vgL4IiKdHxLNfqcaaL8QYm2KmyKLbHsTvQ+12b7pq9TwenbIHGloGV7K
nsTZrXkx37loi5cdYHQLw09qKYXcTaQx+GZ7XH0UgiJi4XJCjY7gr6/4+qnqVYW/
OnpmGYh9SycH1cFHkPfmWDGrBd3omKStkx7keBXXBQVgyyUpIDp9A3J62lM3vX9U
czexLKJTCx77CviBFcJYigi41ST/XT/HCVy2pkvxv7d6KXA+fCKPL7jogBy43Zfy
3d2SL9mH7MxAfP5TVOsmShPrLqY9FGm0MteXjSKX7inoAxJmJx9F2w7JtzfNNDpG
2a0mJABw4ZRRiEL5OlEonAwqExyR+LO6cFA+xWKmZwsy4lMEeOBo3RAzX+U21iLB
wDATwPL0Q97XM3b3iOJShCXr2nWYrNhd2mWFFEewXVEZWvSVqyI9uVtr9FW6/0YJ
LD9jXp1BBbt7/bMZv+KSLVMavKLOu4Vm6bwClKX5NYS1ZRXWVX71XkuId5ntpoco
raxAtjWgda1KidFGStU2ABoFoil4tyWhg7CuB+KCoyfVhIiM4Wg=
=eyBB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYHjhteNLKJtyKPYoAQj97g/+M+ZGKGMnX4gqeORmKa5FWvtwnmwCXT5t
OtRl14H/vzDwk+Oyk1zCBlI8aPiduIdaw+IPk88u1C7Glr+4u/aeOdke/nFYYK4+
CZg2EYfPrVDzOtWW6uKDJ5EJTlwYSmDHIgF00UK3nsfqrfHHXjSmjHGaNbqtehou
g0v859VLn0dGq5iRJTk/n+lmYRvsp95zif2aAmkNX8tXcLX/Mwj3dA8Ls9nnsDKd
mupy3mnxleCsEFNBPAjYMIPJU9VE5ugVTYTEW7ut2ENcsJ0J3UpshqT9lBN0I4um
4MRxtNaHjMJ2lofA/2VBASSGZl1mtgrWQbicYV//g5jy8qUGJvCcVYC86fyC9nQ8
IaM8lsvR1YRTpSlwAGwg5gnX22pwgLHoc3Xt8s2A877ZD9YRn5Zbej/ADJVNmIrx
CgPwMEs3cog6GDJN6Jlf8/U46wtd1HIlT7DNl/v4JfmI2pGm5UiX7aRm5rMh+49M
Rh0deT+3EiN8LFAwDn/1y5L8RSXXi4x2B0lHKqw04cx135HhUbIL2usrEEeryOgl
jduJewnXN/7OLSWsrR8cA0O7NfkIxQv0d42hEQ7wYrjqRBgb3X6cbdJ6Cbi34mPW
AE9cZlefxjqPqJRfxiVJr9uL/xZo8w/lKe63igNAtZElbloiZZbtoefJ08QZewa0
RlTeI9lJ7+s=
=OeKL
-----END PGP SIGNATURE-----