A libxdmcp security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where libxdmcp used weak entropy to generate the session keys.
ELA-708-1 libxdmcp security update
Package libxdmcp
ELA-708-1 libxdmcp security update
Version 1:1.1.1-1+deb8u3 (jessie)
Related CVEs CVE-2017-2625
It was found that libxdmcp 1:1.1.1-1+deb8u1 released as DLA-2006-1 did not properly apply the fix for CVE-2017-2625. That has been corrected now, the description for that issue follows:
libxdmcp, the X11 Display Manager Control Protocol library, used weak entropy to generate the session keys. A local attacker could brute force the keys to connect to another user’s session.
For Debian 8 jessie, these problems have been fixed in version 1:1.1.1-1+deb8u3.
We recommend that you upgrade your libxdmcp packages.
Further information about Extended LTS security advisories can be found at: debian Extended Long term support
