Operating System:

[RedHat]

Published:

06 November 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3801.2
                          libX11 security update
                              6 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libX11
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Access Confidential Data        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14363  

Reference:         ESB-2020.3066
                   ESB-2020.3047
                   ESB-2020.3019
                   ESB-2020.3009

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:4908
   https://access.redhat.com/errata/RHSA-2020:4946

Comment: This bulletin contains two (2) Red Hat security advisories.

Revision History:  November 6 2020: Appending additional associated advisory
                   November 5 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: libX11 security update
Advisory ID:       RHSA-2020:4908-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4908
Issue date:        2020-11-04
Cross references:  RHSA-2020:65284-01
CVE Names:         CVE-2020-14363 
=====================================================================

1. Summary:

An update for libX11 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

The libX11 packages contain the core X11 protocol client library.

Security Fix(es):

* libX11: integer overflow leads to double free in locale handling
(CVE-2020-14363)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1872473 - CVE-2020-14363 libX11: integer overflow leads to double free in locale handling

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
libX11-1.6.7-3.el7_9.src.rpm

noarch:
libX11-common-1.6.7-3.el7_9.noarch.rpm

x86_64:
libX11-1.6.7-3.el7_9.i686.rpm
libX11-1.6.7-3.el7_9.x86_64.rpm
libX11-debuginfo-1.6.7-3.el7_9.i686.rpm
libX11-debuginfo-1.6.7-3.el7_9.x86_64.rpm
libX11-devel-1.6.7-3.el7_9.i686.rpm
libX11-devel-1.6.7-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
libX11-1.6.7-3.el7_9.src.rpm

noarch:
libX11-common-1.6.7-3.el7_9.noarch.rpm

x86_64:
libX11-1.6.7-3.el7_9.i686.rpm
libX11-1.6.7-3.el7_9.x86_64.rpm
libX11-debuginfo-1.6.7-3.el7_9.i686.rpm
libX11-debuginfo-1.6.7-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
libX11-debuginfo-1.6.7-3.el7_9.i686.rpm
libX11-debuginfo-1.6.7-3.el7_9.x86_64.rpm
libX11-devel-1.6.7-3.el7_9.i686.rpm
libX11-devel-1.6.7-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
libX11-1.6.7-3.el7_9.src.rpm

noarch:
libX11-common-1.6.7-3.el7_9.noarch.rpm

ppc64:
libX11-1.6.7-3.el7_9.ppc.rpm
libX11-1.6.7-3.el7_9.ppc64.rpm
libX11-debuginfo-1.6.7-3.el7_9.ppc.rpm
libX11-debuginfo-1.6.7-3.el7_9.ppc64.rpm
libX11-devel-1.6.7-3.el7_9.ppc.rpm
libX11-devel-1.6.7-3.el7_9.ppc64.rpm

ppc64le:
libX11-1.6.7-3.el7_9.ppc64le.rpm
libX11-debuginfo-1.6.7-3.el7_9.ppc64le.rpm
libX11-devel-1.6.7-3.el7_9.ppc64le.rpm

s390x:
libX11-1.6.7-3.el7_9.s390.rpm
libX11-1.6.7-3.el7_9.s390x.rpm
libX11-debuginfo-1.6.7-3.el7_9.s390.rpm
libX11-debuginfo-1.6.7-3.el7_9.s390x.rpm
libX11-devel-1.6.7-3.el7_9.s390.rpm
libX11-devel-1.6.7-3.el7_9.s390x.rpm

x86_64:
libX11-1.6.7-3.el7_9.i686.rpm
libX11-1.6.7-3.el7_9.x86_64.rpm
libX11-debuginfo-1.6.7-3.el7_9.i686.rpm
libX11-debuginfo-1.6.7-3.el7_9.x86_64.rpm
libX11-devel-1.6.7-3.el7_9.i686.rpm
libX11-devel-1.6.7-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
libX11-1.6.7-3.el7_9.src.rpm

noarch:
libX11-common-1.6.7-3.el7_9.noarch.rpm

x86_64:
libX11-1.6.7-3.el7_9.i686.rpm
libX11-1.6.7-3.el7_9.x86_64.rpm
libX11-debuginfo-1.6.7-3.el7_9.i686.rpm
libX11-debuginfo-1.6.7-3.el7_9.x86_64.rpm
libX11-devel-1.6.7-3.el7_9.i686.rpm
libX11-devel-1.6.7-3.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14363
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX6K2D9zjgjWX9erEAQgXcw//f/7GywpBvRf9lQ2XFMJuNM1RO4TQXoMF
KTWlCY+t3Q5tqcSxF5rFIrB9x+WQvf1RFZIrQyqoNqF6yWPih3ua885j16jDbhMq
+4lwjMvD+f/4L7tmO2lkMdhje446CS951y39uR7UwsCRAAhanvOf/RcIo0STMGn9
8A6vU7Ow5xgosVaOXL7xfBzrDh4euRClOJOdrq1UeSygr1EVRjgIVDETuMyvandi
7/oN+d2qmrsbIslB58CchoFq4UqJpEb+ntWMH0w4ZLLFrpDWYWDeIVeQcJ1L6+Yv
8tDnJnFl2QcdWQySKCIrjKKAbUdDQc5r3vyV9EqaxA4ehCB330AfpzoYNnssHXIJ
waSrJySHyaWQzwdK7X7IkaUclhIADSlO3xLttUYgYdeCIDhfYoUQXwg3IpQZ9rWV
4ZdMTwAA12/QRY2dnitbDEdKM/XqYJfyvVJTh9WPaMhs5GSRECiEeJtKs3j3AWus
1ouOVXOKgbA5Zn6ujWTVTiSN967GVcbfyKIxr6zurJu9gKfIWnRab/j2pD/b/fYn
2ck3xdz5qy25qq2QzRLO8rwEQsa/yHPB+zB3a15bLzwr/2ly089NCTJNVue/paXO
AiJgcMdJnmRUnsGEJI53UPBI0bMeC6SKMyvnPYQrme3U13baQAxB4nynX/J5wPJN
rxyK9MJ4wNI=
=2Mis
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: libX11 security update
Advisory ID:       RHSA-2020:4946-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4946
Issue date:        2020-11-05
CVE Names:         CVE-2020-14363 
=====================================================================

1. Summary:

An update for libX11 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - noarch, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64

3. Description:

The libX11 packages contain the core X11 protocol client library.

Security Fix(es):

* libX11: integer overflow leads to double free in locale handling
(CVE-2020-14363)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1872473 - CVE-2020-14363 libX11: integer overflow leads to double free in locale handling

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
libX11-1.6.4-4.el6_10.src.rpm

i386:
libX11-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm

noarch:
libX11-common-1.6.4-4.el6_10.noarch.rpm

x86_64:
libX11-1.6.4-4.el6_10.i686.rpm
libX11-1.6.4-4.el6_10.x86_64.rpm
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-devel-1.6.4-4.el6_10.i686.rpm

x86_64:
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.x86_64.rpm
libX11-devel-1.6.4-4.el6_10.i686.rpm
libX11-devel-1.6.4-4.el6_10.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
libX11-1.6.4-4.el6_10.src.rpm

noarch:
libX11-common-1.6.4-4.el6_10.noarch.rpm

x86_64:
libX11-1.6.4-4.el6_10.i686.rpm
libX11-1.6.4-4.el6_10.x86_64.rpm
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

x86_64:
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.x86_64.rpm
libX11-devel-1.6.4-4.el6_10.i686.rpm
libX11-devel-1.6.4-4.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
libX11-1.6.4-4.el6_10.src.rpm

i386:
libX11-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-devel-1.6.4-4.el6_10.i686.rpm

noarch:
libX11-common-1.6.4-4.el6_10.noarch.rpm

ppc64:
libX11-1.6.4-4.el6_10.ppc.rpm
libX11-1.6.4-4.el6_10.ppc64.rpm
libX11-debuginfo-1.6.4-4.el6_10.ppc.rpm
libX11-debuginfo-1.6.4-4.el6_10.ppc64.rpm
libX11-devel-1.6.4-4.el6_10.ppc.rpm
libX11-devel-1.6.4-4.el6_10.ppc64.rpm

s390x:
libX11-1.6.4-4.el6_10.s390.rpm
libX11-1.6.4-4.el6_10.s390x.rpm
libX11-debuginfo-1.6.4-4.el6_10.s390.rpm
libX11-debuginfo-1.6.4-4.el6_10.s390x.rpm
libX11-devel-1.6.4-4.el6_10.s390.rpm
libX11-devel-1.6.4-4.el6_10.s390x.rpm

x86_64:
libX11-1.6.4-4.el6_10.i686.rpm
libX11-1.6.4-4.el6_10.x86_64.rpm
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.x86_64.rpm
libX11-devel-1.6.4-4.el6_10.i686.rpm
libX11-devel-1.6.4-4.el6_10.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
libX11-1.6.4-4.el6_10.src.rpm

i386:
libX11-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-devel-1.6.4-4.el6_10.i686.rpm

noarch:
libX11-common-1.6.4-4.el6_10.noarch.rpm

x86_64:
libX11-1.6.4-4.el6_10.i686.rpm
libX11-1.6.4-4.el6_10.x86_64.rpm
libX11-debuginfo-1.6.4-4.el6_10.i686.rpm
libX11-debuginfo-1.6.4-4.el6_10.x86_64.rpm
libX11-devel-1.6.4-4.el6_10.i686.rpm
libX11-devel-1.6.4-4.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-14363
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX6PJNtzjgjWX9erEAQgIpBAAoHErPN77CiYwlFDSyxXcbduXoHbWdOiR
nStOqwOnJIuoDx7PXLpVL20o27hI+9ai0osyB0rcZs0A27XxhdciL+KSbHFWSzJ6
jblLGqT6bX7HLyIxmSdgxSUaeqrTVk/vXe+qj0FTHKgNnpx2SfZWhTEe6quNQv3r
B0FF2/+emSQiHwDFUdzihNmM8M6AEay2e5AhHYbmpbtmxxRBWgxCd2/Vmku4ROLw
EeGLFSH0RUAGfaGyPCSDTpvdYL3pzsbIpIQwv8uNPQ/3qXoEjFa3IvwURZuv5nMK
RDZwzYEexlV2GKhYKx8dMmXzQSsDMBVmNlZ8qs+r4gK9rzE94NJuDfkJ2noxrHQd
5bsAlXZjXrSr5mIrVlpEEASJ51fC/tXcpCI0l1+NSjpakm30bpUYV0Ug9XR132A1
L6dAtWTL04Sry4+VwVYG2XGESUVDwSoG6mX7vLS0XY6jqIsZTnDiarO0ZPyeSVl5
YYFCKBtIixiFGTrvvIsCLsryG8lb6BEcE0ZoZHBS8tKwWu/Fd6t/8zQQdn47oPTx
sBwU257F0bspk3oi45N1dZILctLIwtAlExRx6wc4Q8MngyRw6/TDoIlvvIssC6+N
LQ9wq6aCZikBQLtuPhli1jlqP2cKq/KzYpfSwh5B3yQcZP2Xp9rPsfLgA2Va/9LX
pxVWjTUSLr0=
=3RhD
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX6R9eeNLKJtyKPYoAQgsJA//SOePpndTz+B3YtYTLmhmfqRvMfIzLXk6
FyyIT1GCb9eirrNFuPPcO0hJOaQIb78gzF28FdAYgOHFmTUVRqo1vyJymuEqNxWt
P988seBwP0vEKQNch9puXuxMrU8LauJFzDaKYC++hj+/A+29iUwL1TFLTKjHS8CJ
5HYu+9cLzB1jxGX6CzFodv8dmu0UgxfJ1JYd9GnySSg030P9RDDItgxJL8/Hc9Q8
90Pq4ytmB4Q2lmUR+Sk6+9XGNrtSQCExpGnlQ0/cNTfuL08vfHNc5gEAXITuoMIP
2aRdPP2qN8tZFWYYSLHv8W7QaJ6sAebipsdL0SoUNL1l/o9oFfkrrtUSFJQ034iZ
sQiuQ/EflX/EBXn27lXq0+Jm0Kn4OJJUZzllRTo9ajf37NfxC2OqyCpD45tqgR+G
Q1X1QJVfHLje7wsXgQmqDbTLMrAFy+y8r8/vMxjwSPdU9Ox7BWO9C6erBKVZfbX9
roJ3hXBKnoUmtCrEe21jfP75mwYRUY3UydPJx9jDvaNR4sHuPkPxie316IOS0Zkv
TIUl2MdGyGr3Ee6KvtaBa85Ytv7K2rSuT6PfdFQPZE07vKamyLgxms716zVhb0+c
LBqCKuKqH3XeYWC2MQrtDuQ8X/RX0q02TPRuuURc9eRvvo/e5oxM8tI84od0XLmY
sYmNBg8YHxk=
=js3r
-----END PGP SIGNATURE-----