- This topic has 15 replies, 3 voices, and was last updated Dec 3-4:39 pm by stevesr0.
-
Posts
-
stevesr0
I saw this notice of late October.
I checked and my xserver-xorg is current.
The only things that would be replaced according to apt dist-upgrade are a few removals which aren’t needed anymore and five applications I don’t want to update.
So, what is necessary to take care of the security issue??
Thanks
stevesr0
anticapitalista
What is being removed? Can you post the output of
apt-get dist-upgradeso we can see better.Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
This is after
“apr-get -s dist-upgrade”“The following packages were automatically installed and are no longer required:
keyboard-cc-antix libgtkglext1 live-usb-gui-antix python-gtkglext1 python-opengl
Use ‘sudo apt autoremove’ to remove them.”(although you didn’t ask for them, this is what is to be installed:
“The following packages will be upgraded:
adobe-flash-properties-gtk adobe-flashplugin ddm-mx dosbox nvidia-detect”)My installed versions of xserver-xorg programs are 2.1.19.6-1~nos (common and core) and 1:7.7+19 (xorg).
See anything that needs to be fixed?
Thanks.
stevesr0
anticapitalista
inxi -rto see your repos.Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
Thanks.
Here tis
stevesr0
$ inxi -r
Repos:
Active apt repos in: /etc/apt/sources.list.d/antix.list
1: deb http://repo.antixlinux.com/stretch stretch main nosystemd nonfree
Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
1: deb http://ftp.us.debian.org/debian/ stretch-updates main contrib non-free
Active apt repos in: /etc/apt/sources.list.d/debian.list
1: deb http://ftp.us.debian.org/debian/ stretch main contrib non-free
2: deb http://security.debian.org/ stretch/updates main contrib non-free
Active apt repos in: /etc/apt/sources.list.d/home:stevenpusser:xserver-xorg-core-backport-no-systemd.list
1: deb [trusted=yes] http://download.opensuse.org/repositories/home:/stevenpusser:/xserver-xorg-core-backport-no-systemd/Debian_9.0/ /
No active apt repos in: /etc/apt/sources.list.d/onion.list
No active apt repos in: /etc/apt/sources.list.d/various.listanticapitalista
Maybe the xorg from stevos repo has caused the issue. Still, just don’t do
apt-get autoremoveif you want to keep them.Philosophers have interpreted the world in many ways; the point is to change it.
antiX with runit - leaner and meaner.
caprea
stevesr0, did you try at any time to force the xserver-xorg-core version from stevos to the one from anti ?
I think it’s the better option because it’s not a backported from testing but a patched version of stable.
Hierax_ca confirmed antis version works well with the wacom-digitizers.
When stevo offered his version I installed it on an antixsystem for testing purposes only. 3 month later I decided to force antis version. I did this with synaptic (under package – force version) and all went well.
antiX stable (stretch) now uses xserver-xorg-core 2:1.19.2-1.0nosystemd3@ caprea,
I did install Stevo’s version of -core and -common. I have the 1:7.7+19 version of xserver-xorg.
Steveo’s patched versions took care of the time delay on boot with Wacom digitizers.@anticapitalista,
I am actually unaware of any issue. I posted because of the Urgent security issue posting with xserver-xorg recommending a dist-upgrade.
My xserver-xorg is at version 1:7.7+19. This is the only version available from my repos. Should I be trying to install a different version?
As I mentioned above, my xserver-xorg-core and xserver-xorg-common are from Stevo and are at version 2:1.19.6-1~nos.
As these seem to have been working fine, my only question is about the nature of the security issue with these three programs in my currently installed versions. Do I need to install/remove anything or are these “secure”?
Thanks in advance.
stevesr0
caprea
The packages you get from the antix-repos have been patched for security reasons and have been already upgraded.
AFAIK on my antix-stable it was
xserver-common
xserver-xorg-core
xserver-xorg-legacyThey are now 2:1.19.2-1.0nosystemd3
So it looks to me as long as you stick with the version from stevo of xserver-xorg-core, you have to ask stevo if it is patched or upgraded for security reasons.
And also AFAIK anti fixed the xserver-xorg-core with patches for the boot-delay with wacom-digitizers.Hi caprea,
I queried Steveo on the MXLinux forum and he said he would check if the version he used from Buster is patched.
I just read about the bug and it seemed that if is based on the setuid setting allowing someone to obtain root privileges.
It was said that if I am using a login manager (which I am) instead of using startx (for example), then I could use the chmod command to disable the access to root. I imagine this would be necessary with all three files (xserver-xorg-core, xserver-xorg-common and xserver-xorg-legacy.
So instead of changing the version, I could try that while waiting to hear from Stevo, yes (or no)?
** I queried the current permissions of the xserver files and got the following result:
$ ls -l /usr/lib/xorg/Xorg*
-rwxr-xr-x 1 root root 2423624 Jun 14 14:23 /usr/lib/xorg/Xorg
-rwsr-sr-x 1 root root 10576 Jun 14 14:23 /usr/lib/xorg/Xorg.wrapThree questions:
(1) What is the meaning of “/usr/lib/xorg/Xorg.wrap” being outlined in RED (in LX Terminal)
(2) The permissions for Xorg.wrap include -sr-. If I don’t want that to be allowed, all I need to do is to run chmod 0755 (or would it require chmod u-s) for those files?
(3) If Stevo’s version is NOT patched and I switch from 2:1.19.6 to 2:1.19.2 (the patched antix version) is that likely to cause any other problems?Thanks in advance.
stevesr0stevesr0
- This reply was modified 4 years, 5 months ago by stevesr0.
caprea
What can I say about that, in the end it is up to you.
For me it just looks easier to stay with the antix-repos as long as it is possible, upgrades will come automatically then.
To answer your questions as far as I can.
1) I really don’t know, I can only guess this refers to SUID rights2) I can only highly recommend not to make any changes to the permissions to such important system parts.
3) All I can tell you is that it worked fine for me.
If you use synaptic to do this(force version), you will be shown which changes will be made. If nothing else will be installed or removed, it should work properly.
(You must remember to remove stevos repo from etc/apt/sources.list.d afterwards.It should also be possible to return to stevo’s versions if you are unhappy with the result.)Hi caprea and Anticapitalista,
I switched from the Stevo versions to the ones in the antiX repos and got a black screen at boot.
Specifically, I used aptitude and selected the earlier versions and after some fighting, the three applications (core,common, legacy) were switched from 19.6 to 19.2.
After rebooting, I ended up with a black screen.
I only fixed this by booting to a command prompt and reinstalling the 19.6 versions.
After a reboot, X windows brought up the original DC metro station picture.
Is there something different or additional I should have done to insure that X windows was properly updated to the change??
stevesr0
caprea
Oh dear, I’m glad you could solve the black screen.
You say you used aptitude and there was some fighting, I used synaptic and there was no fighting at all.
No, there was nothing additional to do.Anyway I don’t feel comfortable maybe breaking other peoples system.
So it is up to you to try this again or maybe step on stevo’s feet again remembering him for your question.MX18 is in the starting blocks, so he maybe just forgot.Hi to any with the same problem,
Stevo posted an updated patched version from Buster on his opensuse download page.
Installed without having a black screen. So far all looks well.
Call this solved (I will try to mark that if possible).
stevesr0
- You must be logged in to reply to this topic.
