Security update for xorg-x11-server

Announcement ID:	SUSE-SU-2022:4485-1
Rating:	important
References:	bsc#1205874 bsc#1205875 bsc#1205876 bsc#1205877 bsc#1205878 bsc#1205879 bsc#1206017
Cross-References:	CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344
CVSS scores:	CVE-2022-4283 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-4283 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-46340 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2022-46340 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-46341 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2022-46341 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-46342 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2022-46342 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-46343 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2022-46343 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-46344 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2022-46344 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3

An update that solves six vulnerabilities and has one security fix can now be installed.

Description:

This update for xorg-x11-server fixes the following issues:

CVE-2022-46340: Server XTestSwapFakeInput stack overflow (bsc#1205874)
CVE-2022-46341: Server XIPassiveUngrabDevice out-of-bounds access (bsc#1205877)
CVE-2022-46342: Server XvdiSelectVideoNotify use-after-free (bsc#1205879)
CVE-2022-46343: Server ScreenSaverSetAttributes use-after-free (bsc#1205878)
CVE-2022-46344: Server XIChangeProperty out-of-bounds access (bsc#1205876)
CVE-2022-4283: Reset the radio_groups pointer to NULL after freeing it (bsc#1206017)
Xi: return an error from XI property changes if verification failed (bsc#1205875)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-4485=1
SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-4485=1

Package List:

SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
- xorg-x11-server-extra-7.6_1.18.3-76.57.1
- xorg-x11-server-debuginfo-7.6_1.18.3-76.57.1
- xorg-x11-server-7.6_1.18.3-76.57.1
- xorg-x11-server-debugsource-7.6_1.18.3-76.57.1
- xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.57.1
SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 (x86_64)
- xorg-x11-server-extra-7.6_1.18.3-76.57.1
- xorg-x11-server-debuginfo-7.6_1.18.3-76.57.1
- xorg-x11-server-7.6_1.18.3-76.57.1
- xorg-x11-server-debugsource-7.6_1.18.3-76.57.1
- xorg-x11-server-extra-debuginfo-7.6_1.18.3-76.57.1

Security update for xorg-x11-server

Description:

Patch Instructions:

Package List:

References: