Bug 1950788

Summary: Include xorg-x11-server-1.20.11 and xorg-x11-server-Xwayland-21.1.1-1.fc34 into Fedora 34 to fix CVE-2021-3472
Product: [Fedora] Fedora Reporter: František Zatloukal <fzatlouk>
Component: xorg-x11-serverAssignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: awilliam, bskeggs, caillon+fedoraproject, fzatlouk, jglisse, ofourdan, rhughes, robatino, rstrode, sandmann, xgl-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: xorg-x11-server-1.20.11-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-20 01:34:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1829024    

Description František Zatloukal 2021-04-18 18:37:35 UTC 
xorg-x11-server-1.20.10 which is currently in F34 stable repository has an unfixed security issue of high impact [0] that is fixed in xorg-x11-server-1.20.11 which already went stable on F33. 

We might want to release F34 with this fixed.

[0] https://access.redhat.com/security/cve/cve-2021-3472
Comment 1 Fedora Blocker Bugs Application 2021-04-18 18:40:38 UTC 
Proposed as a Blocker and Freeze Exception for 34-final by Fedora user frantisekz using the blocker tracking app because:

 The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation).

The X11 session may get used in special scenarios that are release blocking (eg. the basic video option) or some hardware that is blacklisted to be used on Wayland.

I am proposing this both as a Blocker and as an FE in case we decide that the CVE doesn't meet the blocking criteria.
Comment 2 Adam Williamson 2021-04-19 15:51:28 UTC 
+3 in https://pagure.io/fedora-qa/blocker-review/issue/359 , marking accepted.
Comment 3 Olivier Fourdan 2021-04-19 15:55:52 UTC 
Well, this should also apply to xorg-x11-server-Xwayland-21.1.1-1 then, shouldn't it?
Comment 4 Adam Williamson 2021-04-19 16:19:27 UTC 
the CVE only mentions xorg-x11-server, but if the same issue affects xorg-x11-server-Xwayland, then yes, we can count it as covering both.
Comment 5 Adam Williamson 2021-04-19 17:13:08 UTC 
Dropping FE proposal as bug is accepted as a blocker.
Comment 6 Fedora Update System 2021-04-19 19:08:38 UTC 
FEDORA-2021-112d542766 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-112d542766
Comment 7 Fedora Update System 2021-04-19 19:09:14 UTC 
FEDORA-2021-0e2981e013 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-0e2981e013
Comment 8 Fedora Update System 2021-04-20 01:34:39 UTC 
FEDORA-2021-0e2981e013 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2021-04-20 01:34:45 UTC 
FEDORA-2021-112d542766 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.