From nobody Tue Jun 2 05:34:51 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gV0764W3Fz6gx5g for ; Tue, 02 Jun 2026 05:41:06 +0000 (UTC) (envelope-from ish@ish.org) Received: from peach.ish.org (peach.ish.org [163.44.100.113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.ish.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gV0740nsDz3Xyf for ; Tue, 02 Jun 2026 05:41:03 +0000 (UTC) (envelope-from ish@ish.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ish.org header.s=54d26185-a057-8857-582c-09c040ed7013 header.b=Zaty5dV8; dmarc=pass (policy=reject) header.from=ish.org; spf=pass (mx1.freebsd.org: domain of ish@ish.org designates 163.44.100.113 as permitted sender) smtp.mailfrom=ish@ish.org Received: from mango.ish.org (mango.ish.org [IPv6:2400:4050:9d20:2c00:0:0:0:11]) (authenticated bits=0) by peach.ish.org (8.18.2/8.18.2) with ESMTPSA id 6525eoGp001211 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Tue, 2 Jun 2026 14:40:53 +0900 (JST) (envelope-from ish@ish.org) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ish.org; s=54d26185-a057-8857-582c-09c040ed7013; t=1780378853; bh=BgC1ziN4etGm/jaJC/yCq6vy8SqTOcEQhXHWBm7+pIc=; h=Date:To:Subject:From:In-Reply-To:References; b=Zaty5dV8ucOh/XdTHnR/D23Y6fWufFEMN0YaguTABtraqH/JRZT05FaEYqV26UiF/ UmplaFY7DEVPYCuwywHIFHQdaYqmqjvsA7mo7NhZ3yLoylgby+DemJzLD4Ak4Evmmy vcLLxBabkZJO2wvCNMLJMcHFNOtzT9EiHVVJY1eg= Date: Tue, 02 Jun 2026 14:34:51 +0900 (JST) Message-Id: <20260602.143451.2150003014644123489.ish@ish.org> To: freebsd-security@freebsd.org Subject: Re: Why xorg-server-21.1.22,1 is vulnerable From: Masachika ISHIZUKA In-Reply-To: <202606011447.651ElC4B019060@higson.cam.lispworks.com> References: <20260531.142551.167441309236637198.ish@ish.org> <202606011447.651ElC4B019060@higson.cam.lispworks.com> X-Mailer: Mew version 6.11 on Emacs 30.2 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (peach.ish.org [IPv6:2400:8500:2002:3188:163:44:100:113]); Tue, 02 Jun 2026 14:40:53 +0900 (JST) X-Spamd-Result: default: False [-2.30 / 15.00]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[ish.org,reject]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[ish.org:s=54d26185-a057-8857-582c-09c040ed7013]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:58791, ipnet:163.44.100.0/24, country:JP]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[ish.org:+] X-Spamd-Bar: -- X-Rspamd-Queue-Id: 4gV0740nsDz3Xyf >> # pkg audit -F >> vulnxml file up-to-date >> [snip] >> xorg-server-21.1.22,1 is vulnerable: >> xorg-server -- Multiple vulnerabilities >> CVE: CVE-2026-34003 >> CVE: CVE-2026-34002 >> CVE: CVE-2026-34001 >> CVE: CVE-2026-34000 >> CVE: CVE-2026-33999 >> WWW: https://vuxml.FreeBSD.org/freebsd/7b6463c6-3813-11f1-a284-589cfc10a551.html >> >> Is this true ? > > The VuxML for xorg-server looks wrong to me now. > > It says xorg-server < 21.1.22,2 but xorg-server is at epoch 1, not 2. Thank you. Vuxml has been updated and now displays correctly. # pkg audit -F [snip] xorg-server-21.1.22,1 is vulnerable: xorg-server -- Multiple vulnerabilities CVE: ZDI-CAN-30168 CVE: ZDI-CAN-30165 CVE: ZDI-CAN-30164 CVE: ZDI-CAN-30163 CVE: ZDI-CAN-30161 CVE: ZDI-CAN-30160 CVE: ZDI-CAN-30159 CVE: ZDI-CAN-30136 WWW: https://vuxml.FreeBSD.org/freebsd/592ced15-5e20-11f1-86a2-589cfc10a551.html -- Masachika ISHIZUKA