mailing list archives
Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw
From: peter.jeremy () ALCATEL COM AU (Peter Jeremy)
Date: Fri, 1 May 1998 07:51:06 +1000
On Thu, 30 Apr 1998 14:43:46 -0600, Theo de Raadt <deraadt () CVS OPENBSD ORG> wrote:
Patches to address this vulnerability have been given to X Project Team
when they become available, may be found on ftp://ftp.x.org/pub/R6.4/fixes/.
The X Project Team only supplies patches for the latest release -- we do
not make patches for prior releases.
What is this. Is The Open Group now selling security patches only to
That's about it I think. TOG have change the distribution conditions
for X11R6.4 (and later) - check their website
(http://www.opengroup.org/tech/desktop/x/) for details.
I asked the XFree86 people. They have received no communication from TOG
about this at all.
XFree86 have decided to stay with X11R6.3 because of the license changes
I think this is extremely bad ethics on the part of
TOG to publish information on a security problem and then only give fixes
to people who have given them money.
I tend to agree. Their excuse will be that they don't patch old releases,
it's your choice not to stay current.
At present, there doesn't appear to be any restriction on
ftp://ftp.x.org/pub/R6.4/fixes/ (admittedly, it's empty). If the
patches are publicly available, it may be possible to work out the
details of the bug and fix it in previous releases.
Peter Jeremy (VK2PJ) peter.jeremy () alcatel com au
Alcatel Australia Limited
41 Mandible St Phone: +61 2 9690 5019
ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247
- Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw Peter Jeremy (Apr 30)