Contributed by jj on 2015-03-04 from the x-window-of-opportunity dept.

Patches are now available to fix an information leak in the XkbSetGeometry request of X servers. For more information, see the X.org advisory .

We experienced a slight delay getting patches out, as you can see from the date in the patch. This is a comparatively minor issue so we didn't rush things until correctly signed patches were available.

http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/021_xserver.patch.sig

http://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/016_xserver.patch.sig

untrusted comment: signature from openbsd 5.6 base private key RWR0EANmo9nqholgu2GQCCaaJuP9HvfU/V5+SgCtPaxbMZfHJRNbbCXzdsIWAL0Dfr9kMeNbiOs21lUgA4Ej3AFsptAdQsB9JQk=

OpenBSD 5.6 errata 16, February 20, 2015:

Information leak in the XkbSetGeometry request of X servers

Olivier Fourdan from Red Hat has discovered a protocol handling issue in the way the X server code base handles the XkbSetGeometry request.

Apply patch using:

signify -Vep /etc/signify/openbsd-56-base.pub -x 016_xserver.patch.sig \ -m - | (cd /usr/xenocara && patch -p0)

Then build and install a new xserver:

cd /usr/xenocara/xserver make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper build