Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:10 relevant versions.
X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request.
xorg-server to version 2:1.16.4-1 or higher.