Summary
The remote host is missing updates announced in
advisory GLSA 200608-25.
Solution
All X.Org xdm users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-apps/xdm-1.0.4-r1'
All X.Org xinit users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-apps/xinit-1.0.2-r6'
All X.Org xload users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-apps/xload-1.0.1-r1'
All X.Org xf86dga users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-apps/xf86dga-1.0.1-r1'
All X.Org users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-base/xorg-x11-6.9.0-r2'
All X.Org X servers users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-base/xorg-server-1.1.0-r1'
All X.Org X11 library users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-libs/libx11-1.0.1-r1'
All X.Org xtrans library users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-libs/xtrans-1.0.1-r1'
All xterm users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=x11-terms/xterm-215'
All users of the X11R6 libraries for emulation of 32bit x86 on amd64 should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
'>=app-emulation/emul-linux-x86-xlibs-7.0-r2'
Please note that the fixed packages have been available for most architectures since June 30th but the GLSA release was held up waiting for the remaining architectures.
http://www.securityspace.com/smysecure/catid.html?in=GLSA%20200608-25 http://bugs.gentoo.org/show_bug.cgi?id=135974
http://lists.freedesktop.org/archives/xorg/2006-June/016146.html
Insight
X.org, libX11, xdm, xf86dga, xinit, xload, xtrans, and xterm are vulnerable to local privilege escalations because of unchecked setuid() calls.
Severity
Classification
-
CVE CVE-2006-4447 -
CVSS Base Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities