Xt xterm security hole
Ian Jackson writes:
> Premise: we should not ship 1.2 with a security bug that we know can
> give away root access.
>
> Believed-known fact: XFree86 as currently in frozen has such a bug.
>
> Conclusion: we must do something to the XFree86 build in frozen before
> we release.
>
> We can do this in two ways:
> 1. Push XFree86 3.2 into frozen.
This has the disadvantage that XFree86-3.2 has not been extensively
tested as a Debian package.
> 2. Apply a patch to fix the bug in frozen's source and rebuild X.
This is a major hassle because the XFree86-3.1.2 package was
incredibly awkward to build.
> I don't know which of 1 or 2 we can should do, but surely we must do
> one other the other and we must not release 1.2 without it.
On balance, I favour option 1 over option 2. The XFree86-3.2 packages
have been 'in the field' for almost two weeks, and no show-stoppers
have been reported. I believe they are at least as good quality as the
XFree86-3.1.2 packages.
I will upload XFree86-3.2-1 shortly. I will leave the decision on what
to do with it up to other people.
Steve Early
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: