Home page logo

bugtraq logo Bugtraq mailing list archives

Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Thu, 30 Apr 1998 14:43:46 -0600

Patches to address this vulnerability have been given to X Project Team

    BARCO Chromatics
    CliniComp International
    Hummingbird Communications
    Jupiter Systems
    Metro Link
    Network Computing Devices
    Seaweed Systems
    Sequent Computer Systems
    Shiman Associates
    Silicon Graphics
    Societe Axel
    Siemens Nixdorf
    Xi Graphics

The X Project Team periodically makes public patches available to fix a
variety of problems. Announcements about the availability of these patches
is announced on the Usenet comp.windows.x.announce newsgroup. The patches,
when they become available, may be found on ftp://ftp.x.org/pub/R6.4/fixes/.
The X Project Team only supplies patches for the latest release -- we do
not make patches for prior releases.

Information on joining The Open Group can be found at


What is this.  Is The Open Group now selling security patches only to
their members?

I asked the XFree86 people.  They have received no communication from TOG
about this at all.  I think this is extremely bad ethics on the part of
TOG to publish information on a security problem and then only give fixes
to people who have given them money.

Secondly, I think CERT has been somewhat negligent in letting this
kind of advisory through; don't they ussually say they have a policy of
making sure all the vendors have been contacted?

Considering how many thousands and thousands of people use XFree86, what
happened here, did CERT forget about them?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]