xorg-server - Debian Package Tracker

general

source: xorg-server (main)
version: 2:21.1.22-1
maintainer: Debian X Strike Force (archive) (DMD)
arch: all any
std-ver: 3.9.8
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2:1.20.11-1+deb11u13
o-o-sec: 2:1.20.11-1+deb11u17
oldstable: 2:21.1.7-3+deb12u11
old-sec: 2:21.1.7-3+deb12u11
stable: 2:21.1.16-1.3+deb13u1
stable-sec: 2:21.1.16-1.3+deb13u1
testing: 2:21.1.21-1
unstable: 2:21.1.22-1

versioned links

2:1.20.11-1+deb11u13: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:1.20.11-1+deb11u17: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:21.1.7-3+deb12u11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:21.1.16-1.3+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:21.1.21-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2:21.1.22-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

xnest (1 bugs: 0, 1, 0, 0)
xorg-server-source (2 bugs: 2, 0, 0, 0)
xserver-common (6 bugs: 0, 1, 5, 0)
xserver-xephyr (19 bugs: 0, 15, 4, 0)
xserver-xorg-core (242 bugs: 0, 206, 36, 0)
xserver-xorg-core-udeb
xserver-xorg-dev (3 bugs: 0, 2, 1, 0)
xserver-xorg-legacy (4 bugs: 0, 1, 3, 0)
xvfb (13 bugs: 1, 10, 2, 0)

action needed

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2023-5574: A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.

Created: 2023-10-25 Last update: 2026-04-24 04:00

6 security issues in forky high

There are 6 open security issues in forky.

6 important issues:

CVE-2023-5574: A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
CVE-2026-33999: A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.
CVE-2026-34000:
CVE-2026-34001: A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
CVE-2026-34002:
CVE-2026-34003: A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.

Created: 2025-08-09 Last update: 2026-04-24 04:00

lintian reports 14 errors and 16 warnings high

Lintian reports 14 errors and 16 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-15 Last update: 2026-04-15 06:00

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 3.9.8).

Created: 2017-07-07 Last update: 2026-04-15 00:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-04-20 Last update: 2026-04-26 05:02

42 bugs tagged patch in the BTS normal

The BTS contains patches fixing 42 bugs (43 if counting merged bugs), consider including or untagging them.

Created: 2026-04-06 Last update: 2026-04-26 05:00

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-11-04 Last update: 2026-04-26 00:17

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-09-23 Last update: 2025-09-23 17:32

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

xorg-server-source could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2026-04-26 01:00

5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:

CVE-2023-5574: (postponed; to be fixed through a stable update) A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
CVE-2026-33999: (needs triaging) A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.
CVE-2026-34001: (needs triaging) A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
CVE-2026-34002: (needs triaging)
CVE-2026-34003: (needs triaging) A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.

You can find information about how to handle these issues in the security team's documentation.

1 issue that should be fixed with the next stable update:

CVE-2026-34000:

Created: 2025-08-09 Last update: 2026-04-24 04:00

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2023-5574: (postponed; to be fixed through a stable update) A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
CVE-2022-49737: (postponed; to be fixed through a stable update) In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.
CVE-2026-34000: (needs triaging)

You can find information about how to handle these issues in the security team's documentation.

4 issues that should be fixed with the next stable update:

CVE-2026-33999: A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial of service (DoS) or other severe impacts.
CVE-2026-34001: A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially enabling memory corruption. This could result in a denial of service or further compromise of the system.
CVE-2026-34002:
CVE-2026-34003: A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash, leading to a Denial of Service (DoS). In certain configurations, higher impact outcomes may be possible.

Created: 2023-10-25 Last update: 2026-04-24 04:00

testing migrations

excuses:
- Migration status for xorg-server (2:21.1.21-1 to 2:21.1.22-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for at-spi2-core/2.60.0-1: s390x: Pass ♻
- ∙ ∙ Autopkgtest for coyote/2022.04.12-3: amd64: Pass, arm64: Pass, i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Test triggered (failure will be ignored), riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for dipy/1.11.0-3: amd64: Pass, arm64: Pass, i386: Ignored failure ♻ (reference ♻), ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for freecad/1.0.2+dfsg-7: amd64: Pass ♻ (reference ♻), arm64: Pass ♻ (reference ♻), i386: Failed (not a regression) ♻ (reference ♻), ppc64el: Pass ♻ (reference ♻), riscv64: Pass ♻, s390x: Pass ♻ (reference ♻)
- ∙ ∙ Autopkgtest for libpanel/1.10.4-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Regression ♻ (reference ♻), s390x: Pass
- ∙ ∙ Autopkgtest for libreoffice/4:26.2.2.2-3: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Test triggered (failure will be ignored), ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for openjdk-21/21.0.11~9ea-1: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Pass, ppc64el: Test triggered (failure will be ignored), riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for openjdk-25/25.0.3~8ea-1: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Pass, ppc64el: Test triggered (failure will be ignored), riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for openjdk-26/26+35-2: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Pass, ppc64el: Test triggered (failure will be ignored), riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for proton-vpn-gtk-app/4.15.2-1: s390x: Pass ♻ (reference ♻)
- ∙ ∙ Autopkgtest for r-cran-ps/1.9.2-1: s390x: Pass ♻
- ∙ ∙ Autopkgtest for rust-gtk4/0.10.3-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for thunderbird/1:140.9.1esr-1: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Pass, ppc64el: No tests, superficial or marked flaky ♻ (reference ♻), riscv64: Test triggered (failure will be ignored), s390x: Failed (not a regression) ♻ (reference ♻)
- ∙ ∙ Autopkgtest for xorg-server/2:21.1.22-1: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻, riscv64: No tests, superficial or marked flaky ♻, s390x: No tests, superficial or marked flaky ♻
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/x/xorg-server.html
- ∙ ∙ Reproducibility check waiting for results on amd64
- ∙ ∙ Reproducibility check waiting for results on arm64
- ∙ ∙ Reproducibility check waiting for results on armhf
- ∙ ∙ Reproducibility check waiting for results on i386
- ∙ ∙ Reproducibility check waiting for results on ppc64el
- ∙ ∙ 11 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-04-14] Accepted xorg-server 2:21.1.22-1 (source) into unstable (Timo Aaltonen)
[2025-11-30] xorg-server 2:21.1.21-1 MIGRATED to testing (Debian testing watch)
[2025-11-25] Accepted xorg-server 2:21.1.21-1 (source) into unstable (Timo Aaltonen)
[2025-11-04] xorg-server 2:21.1.20-1 MIGRATED to testing (Debian testing watch)
[2025-11-01] Accepted xorg-server 2:21.1.7-3+deb12u11 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-10-29] Accepted xorg-server 2:21.1.16-1.3+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-10-29] Accepted xorg-server 2:21.1.20-1 (source) into unstable (Emilio Pozuelo Monfort)
[2025-10-29] Accepted xorg-server 2:1.20.11-1+deb11u17 (source) into oldoldstable-security (Thorsten Alteholz)
[2025-10-29] Accepted xorg-server 2:21.1.7-3+deb12u11 (source) into oldstable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-10-29] Accepted xorg-server 2:21.1.16-1.3+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-09-10] xorg-server 2:21.1.18-2 MIGRATED to testing (Debian testing watch)
[2025-08-27] Accepted xorg-server 2:21.1.18-2 (source) into unstable (Timo Aaltonen)
[2025-06-30] xorg-server 2:21.1.16-1.3 MIGRATED to testing (Debian testing watch)
[2025-06-27] Accepted xorg-server 2:21.1.18-1 (source) into experimental (Timo Aaltonen)
[2025-06-25] Accepted xorg-server 2:1.20.11-1+deb11u16 (source) into oldstable-security (Emilio Pozuelo Monfort)
[2025-06-23] Accepted xorg-server 2:21.1.7-3+deb12u10 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-06-23] Accepted xorg-server 2:21.1.7-3+deb12u10 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-06-22] Accepted xorg-server 2:21.1.16-1.3 (source) into unstable (Salvatore Bonaccorso)
[2025-06-17] Accepted xorg-server 2:21.1.16-1.2 (source) into unstable (Salvatore Bonaccorso)
[2025-05-14] xorg-server 2:21.1.16-1.1 MIGRATED to testing (Debian testing watch)
[2025-05-07] Accepted xorg-server 2:21.1.16-1.1 (source) into unstable (Salvatore Bonaccorso)
[2025-03-11] xorg-server 2:21.1.16-1 MIGRATED to testing (Debian testing watch)
[2025-03-01] Accepted xorg-server 2:21.1.7-3+deb12u9 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-02-28] Accepted xorg-server 2:21.1.7-3+deb12u9 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2025-02-28] Accepted xorg-server 2:1.20.11-1+deb11u15 (source) into oldstable-security (Thorsten Alteholz)
[2025-02-26] Accepted xorg-server 2:21.1.16-1 (source) into unstable (Emilio Pozuelo Monfort)
[2025-02-19] xorg-server 2:21.1.15-3 MIGRATED to testing (Debian testing watch)
[2025-02-13] Accepted xorg-server 2:21.1.15-3 (source) into unstable (Emilio Pozuelo Monfort)
[2024-12-26] xorg-server 2:21.1.15-2 MIGRATED to testing (Debian testing watch)
[2024-12-20] Accepted xorg-server 2:21.1.15-2 (source) into unstable (Timo Aaltonen)

bugs [bug history graph]

all: 312 319
RC: 2 3
I&N: 250 256
M&W: 60
F&P: 0
patch: 42 43

links

homepage
lintian (14, 16)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
l10n (99, -)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2:21.1.22-1ubuntu1
286 bugs (10 patches)
patches for 2:21.1.22-1ubuntu1