[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: XFree86 3.2 in Debian 1.2? - basic UNIX security awareness

On Sat, 30 Nov 1996, Bernd Eckenfels wrote:

>> o Who was in favor of releasing it with X 3.1 and why?
> think Debian sliped release dates too often. They considered the Xt whole a
> minor cause "only" local users are able to exploit it. 

It is not a minor problem, because local users could gain root

By the way, if you keep up with CERT advisories, you would've known more
about this particular hole (libXt not quite checking boundaries when
copying $DISPLAY to an internal buffer, IIRC).

My opinion:
- Releasing 1.2 with XFree86 3.1.2 would have been a mistake, and not
  only because there's a bug in a certain library.
- There are only a few dependency problems left (for example xv depends on
  something not available and won't configure because of that, IIRC); X
  itself is debugged pretty OK by the whole world running any kind of
  UNIX for x86 based hardware.
- If you want to know about basic UNIX security and about bugs when they
  are found and not only when they have been fixed, sub to BUGTRAQ, BoS,
  and the CERT mailing lists.
- Now, developers, project leaders and what-have-not, get on with getting
  1.2 ready so I can burn a new CD since I lost my original 1.1.1...

While I'm on it... I got hit by the splitting of gcc and cpp, and
something called libelf0, but for the rest, upgrading from 1.1.{1-12} to
the latest unstable went pretty OK... except those damn *.dpkg-dist files
in /etc everywhere. ;-)

Keep up the good work... and keep down the frustrations.


-- --- -------------- ----------------------- -------------- --- --
PIH     XXTP     SE     ICTL, BTIHTKY.     <niels@churchofbofh.org>
Note:  I do not speak for my employer  -  they have net.access too.

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: