[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Xt xterm security hole

Ian Jackson writes:
 > Premise: we should not ship 1.2 with a security bug that we know can
 > give away root access.
 > Believed-known fact: XFree86 as currently in frozen has such a bug.
 > Conclusion: we must do something to the XFree86 build in frozen before
 > we release.
 > We can do this in two ways:
 >  1. Push XFree86 3.2 into frozen.

This has the disadvantage that XFree86-3.2 has not been extensively
tested as a Debian package.

 >  2. Apply a patch to fix the bug in frozen's source and rebuild X.

This is a major hassle because the XFree86-3.1.2 package was
incredibly awkward to build.

 > I don't know which of 1 or 2 we can should do, but surely we must do
 > one other the other and we must not release 1.2 without it.

On balance, I favour option 1 over option 2. The XFree86-3.2 packages
have been 'in the field' for almost two weeks, and no show-stoppers
have been reported. I believe they are at least as good quality as the
XFree86-3.1.2 packages.

I will upload XFree86-3.2-1 shortly. I will leave the decision on what
to do with it up to other people.

Steve Early

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: