Amazon Linux AMI : xorg-x11-server (ALAS-2015-470)

Medium Nessus Plugin ID 80557

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. (CVE-2014-8092 , CVE-2014-8093 , CVE-2014-8098)

It was found that the X.Org server did not properly handle SUN-DES-1 (Secure RPC) authentication credentials. A malicious, unauthenticated client could use this flaw to crash the X.Org server by submitting a specially crafted authentication request. (CVE-2014-8091)

Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server, or leak memory contents to the client.
(CVE-2014-8097)

An integer overflow flaw was found in the way the X.Org server calculated memory requirements for certain DRI2 extension requests. A malicious, authenticated client could use this flaw to crash the X.Org server. (CVE-2014-8094)

Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. (CVE-2014-8095 , CVE-2014-8096 , CVE-2014-8099 , CVE-2014-8100 , CVE-2014-8101 , CVE-2014-8102 , CVE-2014-8103)

Solution

Run 'yum update xorg-x11-server' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2015-470.html

Plugin Details

Severity: Medium

ID: 80557

File Name: ala_ALAS-2015-470.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2015/01/16

Updated: 2018/04/18

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:xorg-x11-server-Xdmx, p-cpe:/a:amazon:linux:xorg-x11-server-Xephyr, p-cpe:/a:amazon:linux:xorg-x11-server-Xnest, p-cpe:/a:amazon:linux:xorg-x11-server-Xorg, p-cpe:/a:amazon:linux:xorg-x11-server-Xvfb, p-cpe:/a:amazon:linux:xorg-x11-server-common, p-cpe:/a:amazon:linux:xorg-x11-server-debuginfo, p-cpe:/a:amazon:linux:xorg-x11-server-devel, p-cpe:/a:amazon:linux:xorg-x11-server-source, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 2015/01/15

Reference Information

CVE: CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102, CVE-2014-8103

ALAS: 2015-470

RHSA: 2014:1983