From nobody Mon Jun 1 14:47:12 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gTcHq0hkyz6g7mk for ; Mon, 01 Jun 2026 14:47:19 +0000 (UTC) (envelope-from martin@lispworks.com) Received: from mail.lispworks.com (mail.lispworks.com [46.17.166.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.lispworks.com", Issuer "Sectigo Public Server Authentication CA DV R36" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gTcHp4KXCz3jt4; Mon, 01 Jun 2026 14:47:18 +0000 (UTC) (envelope-from martin@lispworks.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=lispworks.com header.s=default header.b=cqbVD4rI; dmarc=pass (policy=none) header.from=lispworks.com; spf=pass (mx1.freebsd.org: domain of martin@lispworks.com designates 46.17.166.21 as permitted sender) smtp.mailfrom=martin@lispworks.com Received: from lwfs1-cam.cam.lispworks.com (localhost [[UNIX: localhost]]) by lwfs1-cam.cam.lispworks.com (8.18.1/8.18.1) with ESMTP id 651ElHKG038972; Mon, 1 Jun 2026 15:47:17 +0100 (BST) (envelope-from martin@lispworks.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lispworks.com; s=default; t=1780325237; bh=NXStZuRTKgJ7exwo16TSCeVqmNBQptOiK1V4QQtMTpo=; h=Date:From:To:CC:In-reply-to:Subject:References; b=cqbVD4rI/c9nxg9iUik/4+hpfofBoMVyJAc08EI425rX9jRmSeLLXOphB+yg3m7Jj AeDzHOpfRIg0w/fZbkdHCYKV4est09+tsKVBDG6G8qHK71sXUXkW+GnZ2NdD07oOR4 KJ1br4oOMiWy5afPIw4bkTjpDrP4wrn82aC2XgTShPCSPfRa9OIdmySJJBTsQjqNlv bc7Zw38XgVVN/R4qiAGRAttJ/etIAHRhiMYpGLB86/hutfsB2bfqM6U0zTBPBwggWQ mqjrjmW/qhUpIumK8LIqjhzwz0nOygELkuW4YjGoigRl4eczKeCYUjXxBILB8riF+j A1m4OS1YXiZ/A== Received: from higson.cam.lispworks.com (higson.cam.lispworks.com [192.168.1.7]) by lwfs1-cam.cam.lispworks.com (8.18.1/8.18.1) with ESMTP id 651ElDun038952; Mon, 1 Jun 2026 15:47:13 +0100 (BST) (envelope-from martin@lispworks.com) Received: from higson.cam.lispworks.com (localhost.localdomain [127.0.0.1]) by higson.cam.lispworks.com (8.14.4) id 651ElD49019064; Mon, 1 Jun 2026 15:47:13 +0100 Received: (from martin@localhost) by higson.cam.lispworks.com (8.14.4/8.14.4/Submit) id 651ElC4B019060; Mon, 1 Jun 2026 15:47:12 +0100 Date: Mon, 1 Jun 2026 15:47:12 +0100 Message-Id: <202606011447.651ElC4B019060@higson.cam.lispworks.com> From: Martin Simmons To: Masachika ISHIZUKA CC: freebsd-security@freebsd.org, brnrd@freebsd.org In-reply-to: <20260531.142551.167441309236637198.ish@ish.org> (message from Masachika ISHIZUKA on Sun, 31 May 2026 14:25:51 +0900 (JST)) Subject: Re: Why xorg-server-21.1.22,1 is vulnerable References: <20260531.142551.167441309236637198.ish@ish.org> X-Spamd-Result: default: False [-4.20 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[lispworks.com,none]; R_SPF_ALLOW(-0.20)[+mx:c]; R_DKIM_ALLOW(-0.20)[lispworks.com:s=default]; RWL_MAILSPIKE_VERYGOOD(-0.20)[46.17.166.21:from]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; FREEFALL_USER(0.00)[martin]; ASN(0.00)[asn:51055, ipnet:46.17.160.0/21, country:GB]; TO_DN_SOME(0.00)[]; MISSING_XM_UA(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[lispworks.com:+] X-Spamd-Bar: ---- X-Rspamd-Queue-Id: 4gTcHp4KXCz3jt4 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list [ brnrd@ added ] >>>>> On Sun, 31 May 2026 14:25:51 +0900 (JST), Masachika ISHIZUKA said: > > Hi. > > # pkg audit -F > vulnxml file up-to-date > [snip] > xorg-server-21.1.22,1 is vulnerable: > xorg-server -- Multiple vulnerabilities > CVE: CVE-2026-34003 > CVE: CVE-2026-34002 > CVE: CVE-2026-34001 > CVE: CVE-2026-34000 > CVE: CVE-2026-33999 > WWW: https://vuxml.FreeBSD.org/freebsd/7b6463c6-3813-11f1-a284-589cfc10a551.html > > Is this true ? The VuxML for xorg-server looks wrong to me now. It says xorg-server < 21.1.22,2 but xorg-server is at epoch 1, not 2. __Martin