{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2025-49180: fix integer overflow in the RandR extension affecting the\n RRChangeProviderProperty function", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos7els/advisories/2025/clsa-2025_1757501564.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1757501564", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1757501564" } ], "tracking": { "current_release_date": "2025-09-24T09:37:41Z", "generator": { "date": "2025-09-24T09:37:41Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1757501564", "initial_release_date": "2025-09-10T10:52:46Z", "revision_history": [ { "date": "2025-09-10T10:52:46Z", "number": "1", "summary": "Initial version" }, { "date": "2025-09-24T09:37:41Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "xorg-x11-server: Fix of CVE-2025-49180" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 7", "product": { "name": "Community Enterprise Operating System 7", "product_id": "CentOS-7", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product": { "name": "xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_id": "xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-Xvfb@1.20.4-99.el7_9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product": { "name": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_id": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-devel@1.20.4-99.el7_9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product": { "name": "xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_id": "xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-Xorg@1.20.4-99.el7_9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product": { "name": "xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_id": "xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-Xephyr@1.20.4-99.el7_9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product": { "name": "xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_id": "xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-common@1.20.4-99.el7_9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product": { "name": "xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_id": "xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-Xnest@1.20.4-99.el7_9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product": { "name": "xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_id": "xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-Xdmx@1.20.4-99.el7_9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product": { "name": "xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_id": "xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-Xwayland@1.20.4-99.el7_9.tuxcare.els4?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "product": { "name": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "product_id": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-devel@1.20.4-99.el7_9.tuxcare.els4?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "product": { "name": "xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "product_id": "xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/xorg-x11-server-source@1.20.4-99.el7_9.tuxcare.els4?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" }, "product_reference": "xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686" }, "product_reference": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" }, "product_reference": "xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" }, "product_reference": "xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" }, "product_reference": "xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" }, "product_reference": "xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" }, "product_reference": "xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch" }, "product_reference": "xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" }, "product_reference": "xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" }, "product_reference": "xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "relates_to_product_reference": "CentOS-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-49180", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "CentOS-7:xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-49180" } ], "release_date": "2025-06-17T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "CentOS-7:xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2025-49176", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "CentOS-7:xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-49176" } ], "release_date": "2025-06-17T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "CentOS-7:xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2025-49179", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "CentOS-7:xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-49179" } ], "release_date": "2025-06-17T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "version": "3.1" }, "products": [ "CentOS-7:xorg-x11-server-Xvfb-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.i686", "CentOS-7:xorg-x11-server-devel-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xorg-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xephyr-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-common-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xnest-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-source-0:1.20.4-99.el7_9.tuxcare.els4.noarch", "CentOS-7:xorg-x11-server-Xdmx-0:1.20.4-99.el7_9.tuxcare.els4.x86_64", "CentOS-7:xorg-x11-server-Xwayland-0:1.20.4-99.el7_9.tuxcare.els4.x86_64" ] } ], "threats": [ { "category": "impact", "details": "High" } ] } ] }