Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw

[deraadt () CVS OPENBSD ORG (Theo de Raadt)]

> Patches to address this vulnerability have been given to X Project Team
> members:
>
>     Astec
>     Attachmate
>     BARCO Chromatics
>     CliniComp International
>     Digital
>     Hewlett-Packard
>     Hitachi
>     Hummingbird Communications
>     IBM
>     Jupiter Systems
>     Metro Link
>     Network Computing Devices
>     NetManage
>     Peritek
>     Seaweed Systems
>     Sequent Computer Systems
>     Shiman Associates
>     Silicon Graphics
>     Societe Axel
>     Siemens Nixdorf
>     Starnet
>     SunSoft
>     WRQ
>     Xi Graphics
>
> The X Project Team periodically makes public patches available to fix a
> variety of problems. Announcements about the availability of these patches
> is announced on the Usenet comp.windows.x.announce newsgroup. The patches,
> when they become available, may be found on ftp://ftp.x.org/pub/R6.4/fixes/.
> The X Project Team only supplies patches for the latest release -- we do
> not make patches for prior releases.
>
> Information on joining The Open Group can be found at
>
>         http://www.opengroup.org/howtojoin.htm

What is this.  Is The Open Group now selling security patches only to
their members?

I asked the XFree86 people.  They have received no communication from TOG
about this at all.  I think this is extremely bad ethics on the part of
TOG to publish information on a security problem and then only give fixes
to people who have given them money.

Secondly, I think CERT has been somewhat negligent in letting this
kind of advisory through; don't they ussually say they have a policy of
making sure all the vendors have been contacted?

Considering how many thousands and thousands of people use XFree86, what
happened here, did CERT forget about them?