-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ cross posted to several FreeBSD lists. Please keep replies to x11 at FreeBSD.org ] Hi! As some of you are aware, the X.org project posted a security advisory on October 25 regarding a vulnerability in xorg-server [1]. This has been given the identifier CVE-2018-14665 [2]. The version of xorg-server in the FreeBSD ports tree is not vulnerable. In short, there is a vulnerability in versions 1.19 through 1.20.2 of xorg-server, when installed setuid root, which allows an attacker to overwrite or create any file on the system. By using this vulnerability, a local user can gain root privileges. There are several articles about this [3] [4]. The code in question was introduced on xorg-server 1.19, and as FreeBSD is still using xorg-server 1.18.4 we are not vulnerable to this issue. If you have questions or comments regarding this, don't hesitate to contact me or to send a message to the x11 at FreeBSD.org mailing list. Regards Niclas Zeising FreeBSD X11/Graphics Team [1] https://lists.x.org/archives/xorg-announce/2018-October/002927.html [2] https://nvd.nist.gov/vuln/detail/CVE-2018-14665 [3] https://arstechnica.com/information-technology/2018/10/x-org-bug-that-gives-attackers-root-bites-openbsd-and-other-big-name-oses/ [4] https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+Ll/478KgNjo+JKEu41LV7uLVVEFAlvU1AgACgkQu41LV7uL VVEbJA//X6jZBPlBgv86w0zD2kxvBEu9wdx4Ib2MwRHAFmnhkv4vkOK37cmkNl35 PJII8TE+9+AoOdm+jybZqJJDqyl54uLh1M46BTuE4LQkvhCyHlMKUaBaQmcBMGyE 9j/hKKr4aaHXwFKZS+Cy/KhKytAOR6le1r07KlmWBTw6SPq4Bm8+KWXjceiFdlkF GvCF35PeiJ+aIBIT/5ufVJHaUqNZZF8jtuCpNEgSotLogX/HfWYvMhf/ExC6JijA OuYLjw/xZmGNKg68QM0AN1dFB83JYx/eIZMVCRWj9Rt/ypeF7ISM/qkypW1OOHMr a9uwEhO6qTr7drfb/pX4/Y+Z9/pumIWQIZgAI9aYzBY9T+op2qifKTFEqpxfXTCj wuFDKP270la3prhs2hp+q+LgsGxTv9BelodQh5NsNHuKWb6Fzro7Vsy189wg6ulK E+tQ8qNbWQLfUHVCkCthe1nfLAX2KrOEgDMxWjlgPM5BPIU8JancCjuz02wQ6AiU lBMfMCW4b5fDZZMqSNNpDW0kiAvXt+aewA23tAmhNSSmSRFXUXlV6UKw3anU3R0G xVkN8dXnkhWSVfMWXUy92aYHUr1eTZDclSEZlrgJGfLI+DY2OXWDnvsUwm2wPhIR YSYvrI2iJa31qoF05t6bpJY3USRORHg+OlrGlVnOPXK4rar/Z6M=0NLO -----END PGP SIGNATURE-----