Home page logo

bugtraq logo Bugtraq mailing list archives

Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw
From: peter.jeremy () ALCATEL COM AU (Peter Jeremy)
Date: Fri, 1 May 1998 07:51:06 +1000

On Thu, 30 Apr 1998 14:43:46 -0600, Theo de Raadt <deraadt () CVS OPENBSD ORG> wrote:
Patches to address this vulnerability have been given to X Project Team
The patches,
when they become available, may be found on ftp://ftp.x.org/pub/R6.4/fixes/.
The X Project Team only supplies patches for the latest release -- we do
not make patches for prior releases.
What is this.  Is The Open Group now selling security patches only to
their members?
That's about it I think.  TOG have change the distribution conditions
for X11R6.4 (and later) - check their website
(http://www.opengroup.org/tech/desktop/x/) for details.

I asked the XFree86 people.  They have received no communication from TOG
about this at all.
XFree86 have decided to stay with X11R6.3 because of the license changes
(see http://www.xfree86.org/news/pr-980407.html).

 I think this is extremely bad ethics on the part of
TOG to publish information on a security problem and then only give fixes
to people who have given them money.
I tend to agree.  Their excuse will be that they don't patch old releases,
it's your choice not to stay current.

At present, there doesn't appear to be any restriction on
ftp://ftp.x.org/pub/R6.4/fixes/ (admittedly, it's empty).  If the
patches are publicly available, it may be possible to work out the
details of the bug and fix it in previous releases.

Peter Jeremy (VK2PJ)                    peter.jeremy () alcatel com au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5247

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]