Re: Upcoming Debian Releases [auto-post]
Brian C. White:
> > > There are not critical bugs open against X. Since it has been decided
> > > that rex would ship with the older X, and this bug won't get patched
> > > because it is already fixed in the newer version, I don't see the point
> > > of making it critical. It would accomplish nothing but push the 1.2
> > > release a couple months.
Argh. Are release dates really more important than SECURITY HOLES? :-(
> > And we can always - after testing - put 3.2 into rex-fixed, can't we?
>
> No. Changes to the stable release are only allowed for extremely serious
> bugs such as security holes that allow root access.
Well, the libXt buffer overrun _is_ a security hole that allows root access
so it should qualify for rex-fixed. There are apparently a few other holes
too (like being able to crash xterm with a too long escape sequence, etc.).
Exploit program for FreeBSD has been posted to bugtraq quite some time ago
- I haven't seen one for Linux yet, but it shouldn't be too hard to write.
Marek
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: