SUSE-SU-2024:2776-1: moderate: Security update for dri3proto, presentproto, wayland-protocols, xwayland
SLE-SECURITY-UPDATES
null at suse.de
Mon Aug 19 09:55:50 UTC 2024
# Security update for dri3proto, presentproto, wayland-protocols, xwayland
Announcement ID: SUSE-SU-2024:2776-1
Rating: moderate
References:
* bsc#1219892
* bsc#1222309
* bsc#1222310
* bsc#1222312
* bsc#1222442
* jsc#PED-9498
Cross-References:
* CVE-2024-31080
* CVE-2024-31081
* CVE-2024-31083
CVSS scores:
* CVE-2024-31080 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
* CVE-2024-31081 ( SUSE ): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
* CVE-2024-31083 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* Development Tools Module 15-SP5
* Development Tools Module 15-SP6
* openSUSE Leap 15.5
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Workstation Extension 15 SP6
* SUSE Package Hub 15 15-SP6
An update that solves three vulnerabilities, contains one feature and has two
security fixes can now be installed.
## Description:
This update for dri3proto, presentproto, wayland-protocols, xwayland fixes the
following issues:
Changes in presentproto:
* update to version 1.4 (patch generated from xorgproto-2024.1 sources)
Changes in wayland-protocols:
* Update to version 1.36:
* xdg-dialog: fix missing namespace in protocol name
* Changes from version 1.35:
* cursor-shape-v1: Does not advertises the list of supported cursors
* xdg-shell: add missing enum attribute to set_constraint_adjustment
* xdg-shell: recommend against drawing decorations when tiled
* tablet-v2: mark as stable
* staging: add alpha-modifier protocol
* Update to 1.36
* Fix to the xdg dialog protocol
* tablet-v2 protocol is now stable
* alpha-modifier: new protocol
* Bug fix to the cursor shape documentation
* The xdg-shell protocol now also explicitly recommends against drawing
decorations outside of the window geometry when tiled
* Update to 1.34:
* xdg-dialog: new protocol
* xdg-toplevel-drag: new protocol
* Fix typo in ext-foreign-toplevel-list-v1
* tablet-v2: clarify that name/id events are optional
* linux-drm-syncobj-v1: new protocol
* linux-explicit-synchronization-v1: add linux-drm-syncobj note
* Update to version 1.33:
* xdg-shell: Clarify what a toplevel by default includes
* linux-dmabuf: sync changes from unstable to stable
* linux-dmabuf: require all planes to use the same modifier
* presentation-time: stop referring to Linux/glibc
* security-context-v1: Make sandbox engine names use reverse-DNS
* xdg-decoration: remove ambiguous wording in configure event
* xdg-decoration: fix configure event summary
* linux-dmabuf: mark as stable
* linux-dmabuf: add note about implicit sync
* security-context-v1: Document what can be done with the open sockets
* security-context-v1: Document out of band metadata for flatpak
Changes in dri3proto:
* update to version 1.4 (patch generated from xorgproto-2024.1 sources)
Changes in xwayland:
* Update to bugfix release 24.1.1 for the current stable 24.1 branch of
Xwayland
* xwayland: fix segment fault in `xwl_glamor_gbm_init_main_dev`
* os: Explicitly include X11/Xmd.h for CARD32 definition to fix building on
i686
* present: On *BSD, epoll-shim is needed to emulate eventfd()
* xwayland: Stop on first unmapped child
* xwayland/window-buffers: Promote xwl_window_buffer
* xwayland/window-buffers: Add xwl_window_buffer_release()
* xwayland/glamor/gbm: Copy explicit sync code to GLAMOR/GBM
* xwayland/window-buffers: Use synchronization from GLAMOR/GBM
* xwayland/window-buffers: Do not always set syncpnts
* xwayland/window-buffers: Move code to submit pixmaps
* xwayland/window-buffers: Set syncpnts for all pixmaps
* xwayland: Move xwl_window disposal to its own function
* xwayland: Make sure we do not leak xwl_window on destroy
* wayland/window-buffers: Move buffer disposal to its own function
* xwayland/window-buffers: optionally force disposal
* wayland: Force disposal of windows buffers for root on destroy
* xwayland: Check for pointer in xwl_seat_leave_ptr()
* xwayland: remove includedir from pkgconfig
* disable DPMS on sle15 due to missing proto package
* Update to feature release 24.1.0
* This fixes a couple of regressions introduced in the previous release
candidate versions along with a fix for XTEST emulation with EI.
* xwayland: Send ei_device_frame on device_scroll_discrete
* xwayland: Restore the ResizeWindow handler
* xwayland: Handle rootful resize in ResizeWindow
* xwayland: Move XRandR emulation to the ResizeWindow hook
* xwayland: Use correct xwl_window lookup function in xwl_set_shape
* eglstreams has been dropped
* Update to bug fix relesae 23.2.7
* m4: drop autoconf leftovers
* xwayland: Send ei_device_frame on device_scroll_discrete
* xwayland: Call drmFreeDevice for dma-buf default feedback
* xwayland: Use drmDevicesEqual in xwl_dmabuf_feedback_tranche_done
* dri3: Free formats in cache_formats_and_modifiers
* xwayland/glamor: Handle depth 15 in gbm_format_for_depth
* Revert "xwayland/glamor: Avoid implicit redirection with depth 32 parent
windows"
* xwayland: Check for outputs before lease devices
* xwayland: Do not remove output on withdraw if leased
* Update to 23.2.6
* This is a quick bug fix release to address a regression introduced by the
fix for CVE-2024-31083 in xwayland-23.2.5.
* Security update 23.2.5
This release contains the 3 security fixes that actually apply to Xwayland
reported in the security advisory of April 3rd 2024
* CVE-2024-31080
* CVE-2024-31081
* CVE-2024-31083
Additionally, it also contains a couple of other fixes, a copy/paste error in
the DeviceStateNotify event and a fix to enable buttons with pointer gestures
for backward compatibility with legacy X11 clients.
* Don't provide xorg-x11-server-source
* xwayland sources are not meant for a generic server.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.6
zypper in -t patch SUSE-2024-2776=1 openSUSE-SLE-15.6-2024-2776=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-2776=1
* Development Tools Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-2776=1
* Development Tools Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-2776=1
* SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-2776=1
* SUSE Linux Enterprise Workstation Extension 15 SP6
zypper in -t patch SUSE-SLE-Product-WE-15-SP6-2024-2776=1
## Package List:
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* xwayland-devel-24.1.1-150600.5.3.1
* xwayland-debuginfo-24.1.1-150600.5.3.1
* xwayland-debugsource-24.1.1-150600.5.3.1
* xwayland-24.1.1-150600.5.3.1
* presentproto-devel-1.3-150600.3.3.1
* openSUSE Leap 15.6 (noarch)
* wayland-protocols-devel-1.36-150600.4.3.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* dri3proto-devel-1.2-150100.6.3.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* dri3proto-devel-1.2-150100.6.3.1
* Development Tools Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* dri3proto-devel-1.2-150100.6.3.1
* Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* dri3proto-devel-1.2-150100.6.3.1
* presentproto-devel-1.3-150600.3.3.1
* SUSE Package Hub 15 15-SP6 (noarch)
* wayland-protocols-devel-1.36-150600.4.3.1
* SUSE Linux Enterprise Workstation Extension 15 SP6 (x86_64)
* xwayland-debugsource-24.1.1-150600.5.3.1
* xwayland-24.1.1-150600.5.3.1
* xwayland-debuginfo-24.1.1-150600.5.3.1
## References:
* https://www.suse.com/security/cve/CVE-2024-31080.html
* https://www.suse.com/security/cve/CVE-2024-31081.html
* https://www.suse.com/security/cve/CVE-2024-31083.html
* https://bugzilla.suse.com/show_bug.cgi?id=1219892
* https://bugzilla.suse.com/show_bug.cgi?id=1222309
* https://bugzilla.suse.com/show_bug.cgi?id=1222310
* https://bugzilla.suse.com/show_bug.cgi?id=1222312
* https://bugzilla.suse.com/show_bug.cgi?id=1222442
* https://jira.suse.com/browse/PED-9498
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240819/adef704f/attachment.htm>
More information about the sle-security-updates
mailing list