mailing list archives
Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Thu, 30 Apr 1998 14:43:46 -0600
Patches to address this vulnerability have been given to X Project Team
Network Computing Devices
Sequent Computer Systems
The X Project Team periodically makes public patches available to fix a
variety of problems. Announcements about the availability of these patches
is announced on the Usenet comp.windows.x.announce newsgroup. The patches,
when they become available, may be found on ftp://ftp.x.org/pub/R6.4/fixes/.
The X Project Team only supplies patches for the latest release -- we do
not make patches for prior releases.
Information on joining The Open Group can be found at
What is this. Is The Open Group now selling security patches only to
I asked the XFree86 people. They have received no communication from TOG
about this at all. I think this is extremely bad ethics on the part of
TOG to publish information on a security problem and then only give fixes
to people who have given them money.
Secondly, I think CERT has been somewhat negligent in letting this
kind of advisory through; don't they ussually say they have a policy of
making sure all the vendors have been contacted?
Considering how many thousands and thousands of people use XFree86, what
happened here, did CERT forget about them?