Jump to content

Linux's X.org server is vulnerable.


mhbell

Recommended Posts

securitybreach

This is just click bait. Of course any type of software that interacts with an application could potentially have a keylogger. That is why security researchers look at software and their capabilities.

 

Notice that there is not a single source on the article. This is just FUD tactics to get you to move to Wayland. I googled Xorg keylogger and nothing relevant came back in the results. Wayland could just as easily have one as well. I am surprised at TechRepublic....

  • Like 1
Link to comment
Share on other sites

securitybreach

Do not get me wrong there are vulnerabilities with Xorg but this is not one of them and the ones Xorg has are not being actively exploited. Most require the system to already have been compromised.

  • Like 1
Link to comment
Share on other sites

Do not get me wrong there are vulnerabilities with Xorg but this is not one of them and the ones Xorg has are not being actively exploited. Most require the system to already have been compromised.

Hmmm I wonder why Most Ubuntu Server developers do not recommend installing X on a server. There are multiple reasons for not installing a GUI.

http://askubuntu.com/questions/101829/ddg#159607

 

and another link from xorg https://www.x.org/wiki/Development/Security/

This page details security issues that have been found in X.Org, and their remedies.

Please contact the X.Org security team at xorg-security@lists.x.org to report security issues in the X.Org codebase.

While the advisories are listed below by the most recent release they affect, most affect older releases as well, in many cases going back to the introduction of the affected functionality.

See the Security Checklist for the list of things to go from a bug report to a released advisory.

and the list goes on and on. I don't think that it is Click Bait as you say.

Mel

Link to comment
Share on other sites

If this issue bothers you you can start using Wayland right now. it's the default in Fedora and if you have Debian Stretch with the GNOME desktop it's an option. I suspect the next Debian release (Buster) will go with Wayland as the default and X as a fallback.

Edited by raymac46
Link to comment
Share on other sites

If this issue bothers you you can start using Wayland right now. it's the default in Fedora and if you have Debian Stretch with the GNOME desktop it's an option. I suspect the next Debian release (Buster) will go with Wayland as the default and X as a fallback.

It doesn't bother me. and BTW I do run Fedora as MY second Linux Distro and Linux Mint as my primary. I only pointed out that there are several vulnerabilties in Xorg Server. Well documented too. To make a statement that it is
.This is just click bait. Of course any type of software that interacts with an application could potentially have a keylogger. That is why security researchers look at software and their capabilities.

 

Notice that there is not a single source on the article. This is just FUD tactics to get you to move to Wayland. I googled Xorg keylogger and nothing relevant came back in the results. Wayland could just as easily have one as well. I am surprised at TechRepublic....

IMHO is irresponsible in light of all the security problems with all software now days.

 

Mel

Link to comment
Share on other sites

securitybreach

Do not get me wrong there are vulnerabilities with Xorg but this is not one of them and the ones Xorg has are not being actively exploited. Most require the system to already have been compromised.

Hmmm I wonder why Most Ubuntu Server developers do not recommend installing X on a server. There are multiple reasons for not installing a GUI.

http://askubuntu.com...1829/ddg#159607

 

and another link from xorg https://www.x.org/wi...pment/Security/

This page details security issues that have been found in X.Org, and their remedies.

Please contact the X.Org security team at xorg-security@lists.x.org to report security issues in the X.Org codebase.

While the advisories are listed below by the most recent release they affect, most affect older releases as well, in many cases going back to the introduction of the affected functionality.

See the Security Checklist for the list of things to go from a bug report to a released advisory.

and the list goes on and on. I don't think that it is Click Bait as you say.

Mel

 

Well the thing is that there are vulnerabilities with Xorg but they are claiming that it can be used as a keylogger. Read the first comment on your link Mel (as well as the others).

Link to comment
Share on other sites

securitybreach

Anything major that has come up, has been fixed right away. This is open source and we patch things when there are issues. Things will come up but they get fixed in a timely matter. The same will apply to Wayland when it gets popular enough to find bugs.

  • Like 1
Link to comment
Share on other sites

securitybreach

If this issue bothers you you can start using Wayland right now. it's the default in Fedora and if you have Debian Stretch with the GNOME desktop it's an option. I suspect the next Debian release (Buster) will go with Wayland as the default and X as a fallback.

It doesn't bother me. and BTW I do run Fedora as MY second Linux Distro and Linux Mint as my primary. I only pointed out that there are several vulnerabilties in Xorg Server. Well documented too. To make a statement that it is
.This is just click bait. Of course any type of software that interacts with an application could potentially have a keylogger. That is why security researchers look at software and their capabilities.

 

Notice that there is not a single source on the article. This is just FUD tactics to get you to move to Wayland. I googled Xorg keylogger and nothing relevant came back in the results. Wayland could just as easily have one as well. I am surprised at TechRepublic....

IMHO is irresponsible in light of all the security problems with all software now days.

 

Mel

 

IMO, irresponsible is making a claim, true or false without a single source. We are living in the days of fake news so we see outrageous claims daily. I think that it is useless to even report on something without a source backing up your claim. I thought that this was always the case with journalism.

 

I know there are proof of concept vulnerabilities for Xorg but none of them are actively exploited. Anything serious gets patched just like any other major open source project. I couldn't imagine a world where something like Xorg was maintained with a known unpatched vulnerability that hasn't been fixed. I mean this is Open Source. There have been vulnerabilities but most have some sources to show how it was exploited and that it was tested and such.

  • Like 1
Link to comment
Share on other sites

X is very old and has many features that were useful in 1985 but not needed or obsolete today. I don't think it's used in servers that regularly contact the Internet but why would you have a GUI on a server anyway?

X is a server but not in the same sense as a LAMP stack.

I do not feel insecure with X on a workstation behind a router and firewall and used with intelligent security practice. Wayland will likely be more secure because it doesn't try to do as much, and is a relatively modern piece of software. But Wayland is replacing X for many reasons beyond security.

  • Like 1
Link to comment
Share on other sites

securitybreach

X is very old and has many features that were useful in 1985 but not needed or obsolete today. I don't think it's used in servers that regularly contact the Internet but why would you have a GUI on a server anyway?

X is a server but not in the same sense as a LAMP stack.

I do not feel insecure with X on a workstation behind a router and firewall and used with intelligent security practice. Wayland will likely be more secure because it doesn't try to do as much, and is a relatively modern piece of software. But Wayland is replacing X for many reasons beyond security.

 

^^^^^ Exactly :thumbup:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...