This allowed me to remove libX11. Thanks.
I think the libX11 libraries got installed along with tk. If I remove libXrender-0.9.9-1.ppc and just left libXrender-0.9.8-2waixX11.ppc would the yum install tk realize and resolve the dependencies?
I will be getting a new vulnerability report and I will see if any other items are found.
Original Message:
Sent: Fri December 18, 2020 08:36 AM
From: Ayappan P
Subject: CVE-2020-14363 - libX11-1.6.3-1
You have libXrender-0.9.9-1 which is built using the libX11 rpm.
We have removed this package from yum repodata but still exists in AIX Toolbox ftp site.
Please downgrade libXrender and then try to remove libX11.
"yum downgrade libXrender"
------------------------------
Ayappan P
Original Message:
Sent: Fri December 18, 2020 08:15 AM
From: Ayappan P
Subject: CVE-2020-14363 - libX11-1.6.3-1
Can you run "rpm -q --provides libX11" and paste the output here ?
------------------------------
Ayappan P
Original Message:
Sent: Fri December 18, 2020 08:02 AM
From: David Nowalis
Subject: CVE-2020-14363 - libX11-1.6.3-1
libX1 needed for libXrender. Yum remove libX11 wants to remove libXft, libXrender, and tk.
=======================================================================================================
Package Arch Version Repository Size
=======================================================================================================
Removing:
libX11 ppc 1.6.3-1 @/libX11-1.6.3-1.aix6.1.ppc 20 M
Removing for dependencies:
libXft ppc 2.3.2-4waixX11 @AIX_Toolbox 2.7 M
libXrender ppc 0.9.9-1 @AIX_Toolbox 314 k
tk ppc 8.6.8-3 @AIX_Toolbox 12 M
Transaction Summary
=======================================================================================================
Remove 4 Packages
------------------------------
David Nowalis
Original Message:
Sent: Thu December 17, 2020 11:32 AM
From: Ayappan P
Subject: CVE-2020-14363 - libX11-1.6.3-1
This is indeed from AIX Toolbox only.
Looks like it was there in the Toolbox for a short period of time. We ported it as part of gtk2 update but later went with AIX base libX11.
There is no package in Toolbox that depends on this libX11. You can remove it if no other softwares/apps use this libX11.
------------------------------
Ayappan P
Original Message:
Sent: Tue December 15, 2020 11:00 AM
From: David Nowalis
Subject: CVE-2020-14363 - libX11-1.6.3-1
I am using wget to sync the AIX Toolboc for LINUX to a local Yum repository. libX11 is in the ppc repository.
# rpm -qi libX11
Name : libX11
Version : 1.6.3
Release : 1
Architecture: ppc
Install Date: Thu Jan 17 13:09:15 EST 2019
Group : System/Libraries
Size : 20765222
License : MIT
Signature : (none)
Source RPM : libX11-1.6.3-1.src.rpm
Build Date : Mon Jul 25 06:04:06 EDT 2016
Build Host : green52.in.ibm.com
Relocations : (not relocatable)
URL : http://www.x.org
Summary : X.Org X11 library
Description :
X.Org Xext library
Core X11 protocol client library.
------------------------------
David Nowalis
Original Message:
Sent: Mon December 14, 2020 12:20 PM
From: Ayappan P
Subject: CVE-2020-14363 - libX11-1.6.3-1
AIX toolbox never had libX11 I guess.
What is the output of "rpm -qi libX11" ?
------------------------------
Ayappan P
Original Message:
Sent: Mon December 14, 2020 09:58 AM
From: David Nowalis
Subject: CVE-2020-14363 - libX11-1.6.3-1
Our security tool began flagging libX11-1.6.3-1 for CVE-2020-14363 (integer overflow vulnerability in libX11). I did not see the update in the
AIX Toolbox for Linux repository and was wondering if a fix for this is on the way.
------------------------------
David Nowalis
------------------------------