Debian Package Tracker

general

source: xorg-server (main)
version: 2:1.20.4-1
maintainer: Debian X Strike Force (archive) (DMD)
arch: all any
std-ver: 3.9.8
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2:1.16.4-1+deb8u2
o-o-sec: 2:1.16.4-1+deb8u2
oldstable: 2:1.19.2-1+deb9u5
old-sec: 2:1.19.2-1+deb9u4
stable: 2:1.20.4-1
testing: 2:1.20.4-1
unstable: 2:1.20.4-1

versioned links

2:1.16.4-1+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:1.19.2-1+deb9u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:1.19.2-1+deb9u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:1.20.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

xdmx (3 bugs: 0, 3, 0, 0)
xdmx-tools (1 bugs: 0, 1, 0, 0)
xnest (1 bugs: 0, 1, 0, 0)
xorg-server-source (1 bugs: 0, 1, 0, 0)
xserver-common (3 bugs: 0, 1, 2, 0)
xserver-xephyr (18 bugs: 0, 14, 4, 0)
xserver-xorg-core (213 bugs: 2, 176, 35, 0)
xserver-xorg-core-udeb
xserver-xorg-dev (2 bugs: 0, 1, 1, 0)
xserver-xorg-legacy (4 bugs: 0, 1, 3, 0)
xvfb (10 bugs: 0, 7, 3, 0)
xwayland (14 bugs: 0, 14, 0, 0)

action needed

A new upstream version is available: 1.20.5 high

A new upstream version 1.20.5 is available, you should consider packaging it.

Created: 2019-06-01 Last update: 2019-10-18 09:46

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2018-20839: systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Please fix it.

Created: 2019-07-23 Last update: 2019-10-01 15:00

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2018-20839: systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Please fix it.

Created: 2019-07-23 Last update: 2019-10-01 15:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2018-20839: systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Please fix it.

Created: 2019-07-23 Last update: 2019-10-01 15:00

1 security issue in stretch high

There is 1 open security issue in stretch.

1 important issue:

CVE-2018-20839: systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Please fix it.

Created: 2019-07-23 Last update: 2019-10-01 15:00

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 3.9.8).

Created: 2017-07-07 Last update: 2019-09-29 23:41

lintian reports 4 errors and 39 warnings high

Lintian reports 4 errors and 39 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-09-01 Last update: 2019-09-04 00:48

29 bugs tagged patch in the BTS normal

The BTS contains patches fixing 29 bugs, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-10-18 15:05

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-09-11 Last update: 2019-10-18 09:49

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2:1.20.4-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit acb49777829b320d58a3a6c65828aabfffeb381e
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Mon Sep 30 19:37:41 2019 +0200

    Fix a typo in the xvfb-run manpage

commit fe0cd8813e9103e56fa86899a9356f004f4ded1f
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Mon Sep 30 19:07:52 2019 +0200

    Add xz-utils to Build-Depends-Indep
    
    Needed to produce the tarball in xorg-server-source.  Currently
    dpkg-dev pulls in xz-utils for us, but this might change some day.

commit 53f45caf888abdf42cf5397af2e9fcc4db978bed
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Mon Sep 30 19:06:31 2019 +0200

    Drop dpkg-dev build dependency
    
    Even oldoldoldstable has a newer version.

commit c4b9d9130e9a186466b7de579d6aa9a28ead6821
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Mon Sep 30 18:59:58 2019 +0200

    Bump debhelper compat level to 11
    
    Drop autoreconf and --parallel from the dh sequence, default since
    compat level 10.  Remove dh-autoreconf from Build-Depends, redundant.
    
    Not going for compat level 12 now, since this will run dh_dwz and
    produce different binary packages, unlike compat level 11 where they
    are identical to compat level 9.

commit f8239403d52b0c802565d84086a26bf4480aa8c8
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 20:42:40 2019 +0200

    Fix reproducibility problems in the xorg-server-source package
    
    The files in the xorg-server.tar.xz tarball had random order, and the
    timestamps of patched and newly created files depended on the time of
    the build.  Fix that with the --sort, --mtime and --clamp-mtime
    options of tar.
    
    Also ensure that the files in the tarball have sane permissions.
    There is still a problem if the builder uses a restrictive umask, as
    scripts may end up not world-executable, but for usual umask values
    like 022 or 002 as on the buildds the xorg-server.tar.xz should always
    come out identically.
    
    This also means that xorg-server should build fully reproducible now.

commit 4e2e4525e7aa2b31eb7e935628cf11d8eec51101
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 19:07:44 2019 +0200

    Delete debian/xserver-xorg-core.lintian-overrides
    
    The overrides have been unused since commit 695262d9ef.

commit b18592d54355a84d4eb39f51f661ec19c6fef820
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 19:00:48 2019 +0200

    Replace XC-Package-Type with Package-Type
    
    See "lintian-info -t xc-package-type-in-debian-control".

commit fbb4e9adf8ebad16045b07a9172897d6e80396c8
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 18:57:01 2019 +0200

    Remove trailing whitespace from debian/control

commit 2b6a61af98caf454e6812d714bcfb120c67a5345
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 18:54:32 2019 +0200

    Drop dependency on libegl1-mesa
    
    For about two years, libegl1-mesa has been a dummy package pulling in
    libegl1, so only depend on the latter.

commit 4792191b2bb7d3b9130ddf94bd9e264d64a89afb
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 18:41:36 2019 +0200

    Set Rules-Requires-Root to binary-targets
    
    Needed because the wrapper in xserver-xorg-legacy is setuid root.

commit dffe16d8bbd9baaed761b17d1694b53ab7895b32
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 18:32:03 2019 +0200

    Remove the executable bits from debian/rules.flags
    
    This file does not need to be executable, and when not building from
    git it won't be anyway due to source format 1.0.

commit acd09bf2eb084e81dd3fcd549a4020200100ee3c
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 18:31:19 2019 +0200

    Let find delete pesky *.la files itself

commit 7e18435391f9f0af92802d0fc1205530442ca23e
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 18:29:23 2019 +0200

    Remove QUILT_STAMPFN remnant of pre-dh packaging

commit 01f6e9925a569b43115d6c4921d40bb99de6aee3
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 18:24:18 2019 +0200

    Drop some obsolete configure options
    
    Seen in the build logs:
    
    configure: WARNING: unrecognized options: --disable-maintainer-mode,
    --disable-tslib, --disable-xfake, --disable-xfbdev
    
    These options were all removed in xserver 1.20.0.  See commits
    5c7ed785e3bd, 35fbcb3f9987 and feed7e3f982a, respectively.

commit b6a5b35432a072732fb778e972b8878b134ebbbe
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 18:11:08 2019 +0200

    Simplify obtaining SOURCE_VERSION
    
    The -S option has been supported since dpkg-parsechangelog 1.17.0.

commit c119638422dbb051d6f575e12df353b2cc3a0f44
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 14:48:56 2019 +0200

    Remove the explicit build and build-indep targets
    
    Mixing these explicit targets with overrides was problematic,
    e.g. there was no guarantee that the build-source-stamp target would
    be processed after the quilt and autoreconf dh sequences, that worked
    only by chance.
    
    To avoid doing the main and udeb builds twice in a full (binary-arch +
    binary-indep) build, I have decided to do what is different for them
    in dh_autoreconf overrides.  Since dh_autoreconf does only run once,
    this avoids extra work.

commit 1fbe36868131780d4eca1c30c06040b116688901
Author: Sven Joachim <svenjoac@gmx.de>
Date:   Sun Sep 29 13:02:41 2019 +0200

    Exlude the build-source directory from xorg-server.tar.xz

Created: 2019-09-29 Last update: 2019-10-14 03:42

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

xorg-server-source could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2019-10-18 09:51

1 ignored security issue in jessie low

There is 1 open security issue in jessie.

1 issue skipped by the security teams:

CVE-2018-20839: systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Please fix it.

Created: 2019-07-23 Last update: 2019-10-01 15:00

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2017-10-26 07:23

news

[rss feed]

[2019-06-05] xorg-server 2:1.20.4-1 MIGRATED to testing (Debian testing watch)
[2019-03-05] Accepted xorg-server 2:1.20.4-1 (source) into unstable (Andreas Boll)
[2018-11-02] Accepted xorg-server 2:1.19.2-1+deb9u5 (source) into proposed-updates->stable-new, proposed-updates (Andreas Boll)
[2018-10-31] xorg-server 2:1.20.3-1 MIGRATED to testing (Debian testing watch)
[2018-10-27] Accepted xorg-server 2:1.19.2-1+deb9u4 (source) into proposed-updates->stable-new, proposed-updates (Julien Cristau)
[2018-10-27] Accepted xorg-server 2:1.19.2-1+deb9u3 (source) into proposed-updates->stable-new, proposed-updates (Julien Cristau)
[2018-10-25] Accepted xorg-server 2:1.19.2-1+deb9u3 (source) into stable->embargoed, stable (Julien Cristau)
[2018-10-25] Accepted xorg-server 2:1.19.2-1+deb9u4 (source) into stable->embargoed, stable (Julien Cristau)
[2018-10-25] Accepted xorg-server 2:1.20.3-1 (source) into unstable (Andreas Boll)
[2018-10-25] Accepted xorg-server 2:1.20.2-1 (source) into unstable (Andreas Boll)
[2018-10-16] xorg-server 2:1.20.1-5 MIGRATED to testing (Debian testing watch)
[2018-10-10] Accepted xorg-server 2:1.20.1-5 (source) into unstable (Andreas Boll)
[2018-10-01] xorg-server 2:1.20.1-4 MIGRATED to testing (Debian testing watch)
[2018-09-26] Accepted xorg-server 2:1.20.1-4 (source) into unstable (Timo Aaltonen)
[2018-09-20] Accepted xorg-server 2:1.20.1-3 (source) into unstable (Timo Aaltonen)
[2018-09-18] Accepted xorg-server 2:1.20.1-2 (source) into unstable (Timo Aaltonen)
[2018-08-24] xorg-server 2:1.20.1-1 MIGRATED to testing (Debian testing watch)
[2018-08-17] Accepted xorg-server 2:1.20.1-1 (source) into unstable (Andreas Boll)
[2018-07-24] xorg-server 2:1.20.0-3 MIGRATED to testing (Debian testing watch)
[2018-07-01] Accepted xorg-server 2:1.20.0-3 (source) into unstable (Timo Aaltonen)
[2018-05-24] Accepted xorg-server 2:1.20.0-2 (source) into unstable (Emilio Pozuelo Monfort)
[2018-05-19] Accepted xorg-server 2:1.20.0-1 (source) into experimental (Emilio Pozuelo Monfort)
[2018-03-23] Accepted xorg-server 2:1.19.99.901-1 (source) into experimental (Timo Aaltonen)
[2018-02-01] xorg-server 2:1.19.6-1 MIGRATED to testing (Debian testing watch)
[2018-01-26] Accepted xorg-server 2:1.19.6-1 (source) into unstable (Timo Aaltonen)
[2017-11-22] Accepted xorg-server 2:1.12.4-6+deb7u8 (source all amd64) into oldoldstable (Emilio Pozuelo Monfort)
[2017-10-19] Accepted xorg-server 2:1.16.4-1+deb8u2 (source all amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Julien Cristau)
[2017-10-19] Accepted xorg-server 2:1.19.2-1+deb9u2 (source) into proposed-updates->stable-new, proposed-updates (Julien Cristau)
[2017-10-18] xorg-server 2:1.19.5-1 MIGRATED to testing (Debian testing watch)
[2017-10-16] Accepted xorg-server 2:1.19.5-1 (source) into unstable (Julien Cristau)

bugs [bug history graph]

all: 282 286
RC: 3
I&N: 226 230
M&W: 53
F&P: 0
patch: 29
NC: 1

links

homepage
lintian (4, 39)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker