Bug 1190489 - (CVE-2021-4011) VUL-0: CVE-2021-4011: xorg-x11-server: SwapCreateRegister Out-Of-Bounds Access Local Privilege Escalation Vulnerability (ZDI-CAN-14952)
(CVE-2021-4011)
VUL-0: CVE-2021-4011: xorg-x11-server: SwapCreateRegister Out-Of-Bounds Acces...
Status: CONFIRMED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/309973
CVSSv3.1:SUSE:CVE-2021-4011:7.8:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-14 14:38 UTC by Gianluca Gabrielli
Modified: 2022-02-17 11:29 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Researcher proposed patch (596 bytes, patch)
2021-09-14 14:41 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-09-14 14:38:22 UTC
The attachment named ZDI-CAN-14952.zip could not be scanned for viruses because it is a password protected file.
ZDI-CAN-14952: X.Org Server SwapCreateRegister Out-Of-Bounds Access Local Privilege Escalation Vulnerability

-- CVSS -----------------------------------------

7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
X.Org - Server

-- VULNERABILITY DETAILS ------------------------
* Version tested:1.20.4
* Installer file:debian-10.10.0-amd64-xfce-CD-1.iso
* Platform tested:debian-10.10.0-amd64-xfce-CD-1.iso

---

### Analysis

```
the exploit doesn't work if the OS installed on vmware and default virtualbox
it works on virtualbox with VBoxVGA graphic controller

OOB access bug exist in xserver, SwapCreateRegister(), which can be triggered from SProcRecordCreateContext() or SProcRecordRegisterClients()
https://gitlab.freedesktop.org/xorg/xserver/-/blob/236d1775509404b0dcf44873422dd8652b1e9588/render/render.c#L2323
exploit use pixmap to spray and achieve the arbitrary read/write
it leads to LPE for some distribution (xorg in debian is run as root under specific display driver) and RCE for ssh x11 forwarding environmnet
```

~~~C++
SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{
    int i;
    XID *pClientID;

    swapl(&stuff->context);
    swapl(&stuff->nClients);
    swapl(&stuff->nRanges);
    pClientID = (XID *) &stuff[1];
    if (stuff->nClients >
        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
        return BadLength;
    for (i = 0; i < stuff->nClients; i++, pClientID++) {
        swapl(pClientID);
    }
    if (stuff->nRanges >
        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
        - stuff->nClients)                                                                              // check buffer size with stuff->nRanges*4, but not stuff->nRanges*sizeof(xRecordRange)
        return BadLength;
    RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
    return Success;
}                               /* SwapCreateRegister */

static void
RecordSwapRanges(xRecordRange * pRanges, int nRanges)
{
    int i;

    for (i = 0; i < nRanges; i++, pRanges++) {
        swaps(&pRanges->extRequestsMinorFirst);                 // OOB access here
        swaps(&pRanges->extRequestsMinorLast);
        swaps(&pRanges->extRepliesMinorFirst);
        swaps(&pRanges->extRepliesMinorLast);
    }
}                               /* RecordSwapRanges */
~~~


debug log
```
(gdb) b *0x55b5e8492000+0x42C78
Breakpoint 1 at 0x55b5e84d4c78
(gdb) c
Continuing.

Thread 1 "Xorg" hit Breakpoint 1, 0x000055b5e84d4c78 in ?? ()
(gdb) x/10i $pc
=> 0x55b5e84d4c78:      cmp    esi,edx                                  // the wrong check
   0x55b5e84d4c7a:      ja     0x55b5e84d4c50
   0x55b5e84d4c7c:      mov    rdi,rax
   0x55b5e84d4c7f:      call   0x55b5e85a0c40
   0x55b5e84d4c84:      xor    eax,eax
   0x55b5e84d4c86:      ret
   0x55b5e84d4c87:      mov    rsi,QWORD PTR [rdi]
   0x55b5e84d4c8a:      mov    eax,0x1
   0x55b5e84d4c8f:      cmp    BYTE PTR [rsi+0x1],0x7
   0x55b5e84d4c93:      ja     0x55b5e84d4daa
(gdb) i r $esi
esi            0x3                 3
(gdb) i r $edx
edx            0x8                 8
(gdb) bt
#0  0x000055b5e84d4c78 in ?? ()
#1  0x000055b5e84d4ce5 in ?? ()
#2  0x000055b5e84ec99e in ?? ()
#3  0x000055b5e84f0986 in ?? ()
#4  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#5  0x000055b5e84da67a in _start ()
(gdb) si
0x000055b5e84d4c7a in ?? ()
1: x/i $pc
=> 0x55b5e84d4c7a:      ja     0x55b5e84d4c50
(gdb)
0x000055b5e84d4c7c in ?? ()
1: x/i $pc
=> 0x55b5e84d4c7c:      mov    rdi,rax
(gdb)
0x000055b5e84d4c7f in ?? ()
1: x/i $pc
=> 0x55b5e84d4c7f:      call   0x55b5e85a0c40
(gdb)
0x000055b5e85a0c40 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c40:      test   esi,esi
(gdb)
0x000055b5e85a0c42 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c42:      jle    0x55b5e85a0c6d
(gdb)
0x000055b5e85a0c44 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c44:      lea    eax,[rsi-0x1]
(gdb)
0x000055b5e85a0c47 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c47:      lea    rax,[rax+rax*2+0x3]
(gdb)
0x000055b5e85a0c4c in ?? ()
1: x/i $pc
=> 0x55b5e85a0c4c:      lea    rax,[rdi+rax*8]
(gdb)
0x000055b5e85a0c50 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c50:      rol    WORD PTR [rdi+0x6],0x8                   // swaps(&pRanges->extRequestsMinorFirst);
(gdb) x/40xg $rdi-0x10
0x55b5ee001c90: 0x0000000000000000      0x0000000300000000
0x55b5ee001ca0: 0x0000000000000000      0x0000000000000000
0x55b5ee001cb0: 0x0000000000000000      0x0000000000000000
0x55b5ee001cc0: 0x0000000000000000      0x00000000000102a1
0x55b5ee001cd0: 0x0260088001010001      0x2040004000000000              // before corruption
0x55b5ee001ce0: 0x000055b5e8c7a3e0      0x0000000000002752
0x55b5ee001cf0: 0x000055b5ee001d18      0x0000000800000001
0x55b5ee001d00: 0x000055b5ee001d68      0x0000000000000000
0x55b5ee001d10: 0x0000000000000000      0x0000000000000000
0x55b5ee001d20: 0x0000000000000000      0x0000000000000000
0x55b5ee001d30: 0x0000000000000000      0x0000000000000000
0x55b5ee001d40: 0x0000000000000000      0x0000000000000000
0x55b5ee001d50: 0x0000000000000000      0x0000000000000000
0x55b5ee001d60: 0x0000000000000000      0x4141414141414141
0x55b5ee001d70: 0x0000000000000000      0x0000000000000000
0x55b5ee001d80: 0x0000000000000000      0x0000000000000000
0x55b5ee001d90: 0x0000000000000000      0x0000000000000000
0x55b5ee001da0: 0x0000000000000000      0x0000000000000000
0x55b5ee001db0: 0x0000000000000000      0x0000000000000000
0x55b5ee001dc0: 0x0000000000000000      0x0000000000000000
(gdb) si
0x000055b5e85a0c55 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c55:      rol    WORD PTR [rdi+0x8],0x8
(gdb)
0x000055b5e85a0c5a in ?? ()
1: x/i $pc
=> 0x55b5e85a0c5a:      rol    WORD PTR [rdi+0xc],0x8
(gdb)
0x000055b5e85a0c5f in ?? ()
1: x/i $pc
=> 0x55b5e85a0c5f:      rol    WORD PTR [rdi+0xe],0x8
(gdb)
0x000055b5e85a0c64 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c64:      add    rdi,0x18
(gdb)
0x000055b5e85a0c68 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c68:      cmp    rdi,rax
(gdb) i r $rdi
rdi            0x55b5ee001cb8      94239870426296               // loop from here
(gdb) i r $rax
rax            0x55b5ee001ce8      94239870426344               // loop to here
(gdb) si
0x000055b5e85a0c6b in ?? ()
1: x/i $pc
=> 0x55b5e85a0c6b:      jne    0x55b5e85a0c50
(gdb)
0x000055b5e85a0c50 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c50:      rol    WORD PTR [rdi+0x6],0x8
(gdb)
0x000055b5e85a0c55 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c55:      rol    WORD PTR [rdi+0x8],0x8
(gdb)
0x000055b5e85a0c5a in ?? ()
1: x/i $pc
=> 0x55b5e85a0c5a:      rol    WORD PTR [rdi+0xc],0x8
(gdb)
0x000055b5e85a0c5f in ?? ()
1: x/i $pc
=> 0x55b5e85a0c5f:      rol    WORD PTR [rdi+0xe],0x8
(gdb)
0x000055b5e85a0c64 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c64:      add    rdi,0x18
(gdb)
0x000055b5e85a0c68 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c68:      cmp    rdi,rax
(gdb)
0x000055b5e85a0c6b in ?? ()
1: x/i $pc
=> 0x55b5e85a0c6b:      jne    0x55b5e85a0c50
(gdb)
0x000055b5e85a0c50 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c50:      rol    WORD PTR [rdi+0x6],0x8
(gdb)
0x000055b5e85a0c55 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c55:      rol    WORD PTR [rdi+0x8],0x8
(gdb)
0x000055b5e85a0c5a in ?? ()
1: x/i $pc
=> 0x55b5e85a0c5a:      rol    WORD PTR [rdi+0xc],0x8
(gdb)
0x000055b5e85a0c5f in ?? ()
1: x/i $pc
=> 0x55b5e85a0c5f:      rol    WORD PTR [rdi+0xe],0x8
(gdb)
0x000055b5e85a0c64 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c64:      add    rdi,0x18
(gdb)
0x000055b5e85a0c68 in ?? ()
1: x/i $pc
=> 0x55b5e85a0c68:      cmp    rdi,rax
(gdb)
0x000055b5e85a0c6b in ?? ()
1: x/i $pc
=> 0x55b5e85a0c6b:      jne    0x55b5e85a0c50
(gdb)
0x000055b5e85a0c6d in ?? ()
1: x/i $pc
=> 0x55b5e85a0c6d:      ret
(gdb)
0x000055b5e84d4c84 in ?? ()
1: x/i $pc
=> 0x55b5e84d4c84:      xor    eax,eax
(gdb)
0x000055b5e84d4c86 in ?? ()
1: x/i $pc
=> 0x55b5e84d4c86:      ret
(gdb)
0x000055b5e84d4ce5 in ?? ()
1: x/i $pc
=> 0x55b5e84d4ce5:      test   eax,eax
(gdb) x/40xg 0x55b5ee001c90
0x55b5ee001c90: 0x0000000000000000      0x0000000300000000
0x55b5ee001ca0: 0x0000000000000000      0x0000000000000000
0x55b5ee001cb0: 0x0000000000000000      0x0000000000000000
0x55b5ee001cc0: 0x0000000000000000      0x00000000000102a1
0x55b5ee001cd0: 0x6002088001010001      0x4020400000000000              // after corruption
0x55b5ee001ce0: 0x000055b5e8c7a3e0      0x0000000000002752
0x55b5ee001cf0: 0x000055b5ee001d18      0x0000000800000001
0x55b5ee001d00: 0x000055b5ee001d68      0x0000000000000000
0x55b5ee001d10: 0x0000000000000000      0x0000000000000000
0x55b5ee001d20: 0x0000000000000000      0x0000000000000000
0x55b5ee001d30: 0x0000000000000000      0x0000000000000000
0x55b5ee001d40: 0x0000000000000000      0x0000000000000000
0x55b5ee001d50: 0x0000000000000000      0x0000000000000000
0x55b5ee001d60: 0x0000000000000000      0x4141414141414141
0x55b5ee001d70: 0x0000000000000000      0x0000000000000000
0x55b5ee001d80: 0x0000000000000000      0x0000000000000000
0x55b5ee001d90: 0x0000000000000000      0x0000000000000000
0x55b5ee001da0: 0x0000000000000000      0x0000000000000000
0x55b5ee001db0: 0x0000000000000000      0x0000000000000000
0x55b5ee001dc0: 0x0000000000000000      0x0000000000000000
(gdb) i r $rdi
rdi            0x55b5ee001ce8      94239870426344
(gdb) bt
#0  0x000055b5e84d4ce5 in ?? ()
#1  0x000055b5e84ec99e in ?? ()
#2  0x000055b5e84f0986 in ?? ()
#3  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#4  0x000055b5e84da67a in _start ()
(gdb) c
Continuing.

Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
312     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:312
#1  0x00007fe0200d4b42 in fbBlt () from /usr/lib/xorg/modules/libfb.so
#2  0x00007fe0200d58a6 in fbBltStip () from /usr/lib/xorg/modules/libfb.so
#3  0x00007fe0200d9d30 in fbGetImage () from /usr/lib/xorg/modules/libfb.so
#4  0x000055b5e8638410 in ?? ()
#5  0x000055b5e8574b3b in ?? ()
#6  0x000055b5e84e9849 in ?? ()
#7  0x000055b5e84ec99e in ?? ()
#8  0x000055b5e84f0986 in ?? ()
#9  0x00007fe02115c09b in __libc_start_main (main=0x55b5e84da640, argc=10, argv=0x7fffe58eccc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe58eccb8) at ../csu/libc-start.c:308
#10 0x000055b5e84da67a in _start ()
(gdb)
```


-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative
zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

  http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

  http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

  http://www.zerodayinitiative.com/advisories/disclosure_policy/

TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
Comment 2 Gianluca Gabrielli 2021-09-14 14:41:29 UTC
Created attachment 852506 [details]
Researcher proposed patch
Comment 4 Gianluca Gabrielli 2021-09-15 15:24:25 UTC
Affected packages:
 - SUSE:SLE-12-SP2:Update/xorg-x11-server
 - SUSE:SLE-12-SP4:Update/xorg-x11-server
 - SUSE:SLE-12-SP5:Update/xorg-x11-server
 - SUSE:SLE-15-SP1:Update/xorg-x11-server
 - SUSE:SLE-15-SP2:Update/xorg-x11-server
 - SUSE:SLE-15:Update/xorg-x11-server
 - openSUSE:Factory/xorg-x11-server
Comment 12 Robert Frohl 2021-12-14 13:51:50 UTC
public via oss-security
Comment 16 Stefan Dirsch 2021-12-14 20:41:05 UTC
Submitted for sle11, sle12, sle15 products, Tumbleweed and sle15-sp4.
Comment 17 Stefan Dirsch 2021-12-14 20:41:34 UTC
Reassigning to security team.
Comment 18 OBSbugzilla Bot 2021-12-14 21:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (1190489) was mentioned in
https://build.opensuse.org/request/show/940574 Factory / xorg-x11-server
Comment 20 Swamp Workflow Management 2021-12-20 17:17:10 UTC
SUSE-SU-2021:4120-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190489
CVE References: CVE-2021-4009,CVE-2021-4011
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xorg-x11-server-1.19.6-4.28.1
SUSE OpenStack Cloud 9 (src):    xorg-x11-server-1.19.6-4.28.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xorg-x11-server-1.19.6-4.28.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xorg-x11-server-1.19.6-4.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-12-20 17:18:32 UTC
SUSE-SU-2021:4124-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190489
CVE References: CVE-2021-4009,CVE-2021-4011
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE OpenStack Cloud 8 (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xorg-x11-server-7.6_1.18.3-76.46.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xorg-x11-server-7.6_1.18.3-76.46.1
HPE Helion Openstack 8 (src):    xorg-x11-server-7.6_1.18.3-76.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2021-12-20 17:20:00 UTC
SUSE-SU-2021:4122-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE Enterprise Storage 6 (src):    xorg-x11-server-1.20.3-14.5.22.1
SUSE CaaS Platform 4.0 (src):    xorg-x11-server-1.20.3-14.5.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2021-12-20 17:22:34 UTC
SUSE-SU-2021:4121-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190489
CVE References: CVE-2021-4009,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xorg-x11-server-1.19.6-8.36.1
SUSE Linux Enterprise Server 15-LTSS (src):    xorg-x11-server-1.19.6-8.36.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xorg-x11-server-1.19.6-8.36.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xorg-x11-server-1.19.6-8.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2021-12-20 17:23:55 UTC
SUSE-SU-2021:4119-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190489
CVE References: CVE-2021-4009,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xorg-x11-server-1.19.6-10.29.1
SUSE Linux Enterprise Server 12-SP5 (src):    xorg-x11-server-1.19.6-10.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2021-12-20 17:25:12 UTC
SUSE-SU-2021:14867-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1190489
CVE References: CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xorg-x11-server-7.4-27.122.46.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xorg-x11-server-7.4-27.122.46.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.122.46.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xorg-x11-server-7.4-27.122.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2021-12-21 20:16:48 UTC
openSUSE-SU-2021:4136-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xorg-x11-server-1.20.3-22.5.42.1
Comment 27 Swamp Workflow Management 2021-12-21 20:18:27 UTC
SUSE-SU-2021:4136-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Manager Retail Branch Server 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Manager Proxy 4.1 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE Enterprise Storage 7 (src):    xorg-x11-server-1.20.3-22.5.42.1
SUSE CaaS Platform 4.5 (src):    xorg-x11-server-1.20.3-22.5.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2021-12-22 11:18:53 UTC
openSUSE-SU-2021:1606-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xorg-x11-server-1.20.3-lp152.8.36.1
Comment 29 Swamp Workflow Management 2022-02-17 11:25:22 UTC
SUSE-SU-2021:4136-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    xorg-x11-server-1.20.3-22.5.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-02-17 11:29:53 UTC
openSUSE-SU-2021:4136-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1190487,1190488,1190489
CVE References: CVE-2021-4009,CVE-2021-4010,CVE-2021-4011
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xorg-x11-server-1.20.3-22.5.42.1