Re: Upcoming Debian Releases

To: bcwhite@verisim.com (Brian C. White)
Cc: ian@chiark.greenend.org.uk, debian-devel@lists.debian.org
Subject: Re: Upcoming Debian Releases
From: marekm@i17linuxb.ists.pwr.wroc.pl (Marek Michalkiewicz)
Date: Thu, 28 Nov 1996 01:30:54 +0100 (MET)
Message-id: <m0vSuNT-0007qiC@i17linuxb.ists.pwr.wroc.pl>
In-reply-to: <329C927C.532A4CA7@verisim.com> from "Brian C. White" at Nov 27, 96 02:11:56 pm

Brian C. White:
> > There is a buffer overrun bug in the X Toolkit Intrinsics, a core part
> > of X.  When coupled with xterm's setuid-rootness this means that
> > anyone on a system with an unfixed X distribution can gain root
> > acces.
> 
> Does this bug exist in Debian 1.1?

Yes, it does.  Both buzz and rex have the same X packages.

> This is not practical.  I've seen numerous bugs appear about X3.2,
> especially in the "dependancy" area.  It will take at least another
> month for these to all get straightened out.

But I don't think this month will be wasted.  We can do more testing
and fix a few other things as well, thus making the released system
more stable (so there won't be too many Debian-1.2.x updates later).

> Security holes such as this do not affect most users.  Their
> machines are secure because only they can get to them.  Those people
> who do host multiple users or manage networks know enough of what
> they are doing to grab X3.2 from the "unreleased" tree.

Well, it depends - I wouldn't assume that.  There are many people
who run large systems but are not programmers - I know, I get quite
a lot of mail from people asking for help about (sometimes trivial)
problems with the shadow suite.  Those people who truly know what
they are doing, can build their own distribution from sources :-).

> > >  - Replace Xt in Rex with the one from Buzz

Which has the same bug.  Any unpatched X11R6 has this bug.

> As opposed to "We are please to announce the release of Debian 1.2 has
> slipped once again.  Please use Debian 1.1 for the next 6-9 months or
> use RedHat/Slackware instead if you require staying current."

Why this next 6-9 months?  We were talking about one month or so...
The current rex is available for those who want to test it or need
newer packages (in most cases there is no need to install the whole
distribution, just these packages that you need) and Debian 1.1.x is
not that bad anyway.

We made another major change, just before the freeze, that I would
be more worried about than X3.2: libc 5.4.7 with the new malloc.
It breaks buggy programs that happened to work with the older libc
(like sysnews_0.8-2), so it would be good to have some more time
for testing the whole system with the new libc.

> > `Incorporate patch' means `switch from XFree86 3.1.2 to XFree86 1.2'.
> > This is not something we should do on a patchlevel change.

Agreed, assuming that you mean 3.2, not 1.2 :-).

Marek


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: Upcoming Debian Releases
  - From: "Brian C. White" <bcwhite@verisim.com>
- Re: Upcoming Debian Releases
  - From: bruce@pixar.com (Bruce Perens)

References:
- Re: Upcoming Debian Releases
  - From: "Brian C. White" <bcwhite@verisim.com>

Prev by Date: Re: 1.2 boot floppy
Next by Date: Re: Upcoming Debian Releases
Previous by thread: Re: Upcoming Debian Releases
Next by thread: Re: Upcoming Debian Releases
Index(es):
- Date
- Thread