Re: CAN-2005-2495: Current XFree86 and Recent CVE Advisory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 28 Sep 2005, jayjwa wrote:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495

CAN-2005-2495:

This issue seems to effect both Xfree86 and X.Org versions of X. Many linux distro's have now begun to patch. Debian's advisory is really
unclear, as they seem to imply that only versions *before* XFree86 4.30
are affected. Checking out some of the links and advisories from the
other distro's, I find this Slackware one, which implies current X.Org
is affected:

	[...]

So are XFree86's version 4.5.0 binaries off their web/ftp servers affected
or not? It would appear that before 4.3.0 of XFree86 only is, but then
why would Slackware Linux and Mandrake be going so far as to replace
current X.Org stuff?

Any X server based on what used to be called the Sample Implementation is affected. That includes all releases of XFree86 and X.Org.

Only one problem, there doesn't seem to BE a security upgrade for XFree86.

There is a source patch available on our ftp server. It merely has yet to be announced.

In summary, can users expect fixed binary releases, or prehaps they already are patched (no info about this on the XFree86 website)? If it IS just the Xserver itself, (that is, the XFree86/X binary) I can probably rob a patched one from some distro's "package". What are other users doing about this?

We currently have no plans to provide updated binaries, nor to back-port our fix to prior releases as others have done. We are about to embark onto a new release cycle anyway.

Marc.

+----------------------------------+-----------------------------------+
|  Marc Aurele La France           |  work:   1-780-492-9310           |
|  Academic Information and        |  fax:    1-780-492-1729           |
|    Communications Technologies   |  email:  tsi@xxxxxxxxxxx          |
|  352 General Services Building   +-----------------------------------+
|  University of Alberta           |                                   |
|  Edmonton, Alberta               |     Standard disclaimers apply    |
|  T6G 2H1                         |                                   |
|  CANADA                          |                                   |
+----------------------------------+-----------------------------------+
XFree86 developer and VP.  ATI driver and X server internals.
_______________________________________________
XFree86 mailing list
XFree86@xxxxxxxxxxx
http://XFree86.Org/mailman/listinfo/xfree86

[Index of Archives]     [X Forum]     [Xorg]     [XFree86 Newbie]     [IETF Announce]     [Security]     [Font Config]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux Kernel]

  Powered by Linux