On Thu, Sep 05, 2002 at 02:31:55PM +1000, Neale Banks wrote: > Does this throw the proverbial spanner in the plans - or is it just a > minor hiccup? In my opinion, it's a minor hiccup at worst. * No released version of Debian is vulnerable to this exploit. * Not even Debian unstable is vulnerable, since XFree86 4.2.0 hasn't been released to it yet. * Anyone using my pre-release .debs is potentially vulnerable. * If you are alarmed by this, downgrade xlibs to 4.1.0-17. You'll need to downgrade a few other packages as well. * The impact of this vulnerability hasn't been established yet. * Debian doesn't ship any setuid root X clients to my knowledge. * Check the permissions and ownership on your screen locker programs, such as xlock and xscreensaver. * As long as any privileged X clients aren't coded to exploit this vulnerability, there is no problem. Setuid and setgid X clients should be carefully scruntinzed anyway. This doesn't really disrupt my release plans at all. The next pre-release will be 4.2.1-0pre1v1 instead of 4.2.0-0pre1v5. I knew about this vulnerability a couple of weeks ago, but was sworn to secrecy. -- G. Branden Robinson | You should try building some of the Debian GNU/Linux | stuff in main that is branden@debian.org | modern...turning on -Wall is like http://people.debian.org/~branden/ | turning on the pain. -- James Troup
Attachment:
pgpJluuGR9Viz.pgp
Description: PGP signature