Announcement

Collapse
No announcement yet.

X.Org Server 1.16.3 Released To Fix Security Issues

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • X.Org Server 1.16.3 Released To Fix Security Issues

    Phoronix: X.Org Server 1.16.3 Released To Fix Security Issues

    Made public earlier this month was a huge batch of X.Org Server security vulnerabilities with some of the issues dating back to the late 1980s. Now X.Org Server 1.16.3 is available to address these problems...

    http://www.phoronix.com/vr.php?view=MTg2OTc

  • #2
    Security mess

    X.Org is a security mess.

    X.Org and OpenSSL, the worst!

    Comment


    • #3
      Originally posted by uid313 View Post
      X.Org is a security mess.

      X.Org and OpenSSL, the worst!
      It's not nearly as bad as a web browser. At least 3 remote code execution vulnerabilities every 6 weeks here, and usually a lot more:

      https://www.mozilla.org/en-GB/securi...ities/firefox/

      Plenty of security relevant fixes aren't listed there at all...

      Comment


      • #4
        X.org supports running as non-root now, which makes most of these vulnerabilities unremarkable. Any application with an X11 handle can grab all input events and view / manipulate all of the other windows... so there's little that can be done to provide meaningful security within an instance of it. Wayland makes it feasible to sandbox graphical applications (containers, MAC) without internal multi-processing / sandboxing.

        Comment


        • #5
          So what is the difference between 1.16.2.901 and 1.16.3? Does .3 offer more security fixes?

          Anyway, Arch has updates to 1.16.3 already.

          Comment


          • #6
            Originally posted by Xaero_Vincent View Post
            So what is the difference between 1.16.2.901 and 1.16.3?
            According to the git log, no difference beyond the version number.

            Comment


            • #7
              Originally posted by Xaero_Vincent View Post
              So what is the difference between 1.16.2.901 and 1.16.3? Does .3 offer more security fixes?

              Anyway, Arch has updates to 1.16.3 already.
              .901 will usually indicate a release candidate. The .3 is the final release, which had no changes.

              Comment


              • #8
                Originally posted by uid313 View Post
                X.Org is a security mess.

                X.Org and OpenSSL, the worst!
                OpenSSL made some horrible design choices, such as replacing parts of libstd just because they wanted to support super-obscure platforms.

                Xorg... Xorg got writen in the 80's and has had to maintain backwards compatibility since then. Let's see ANY project keep 30yrs of cruft hanging around without being a security nightmare.

                Comment


                • #9
                  Originally posted by Xaero_Vincent View Post
                  So what is the difference between 1.16.2.901 and 1.16.3? Does .3 offer more security fixes?

                  Anyway, Arch has updates to 1.16.3 already.
                  Difference is Debian's just in case - usual 10 day waiting period, even if nothing changes like in this case and all looks like stable it is just "looks like", so you need to wait a little (usually 10 day) for more eyes to approve that claim .

                  Comment

                  Working...
                  X