Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw

[peter.jeremy () ALCATEL COM AU (Peter Jeremy)]

On Thu, 30 Apr 1998 14:43:46 -0600, Theo de Raadt <deraadt () CVS OPENBSD ORG> wrote:
> > Patches to address this vulnerability have been given to X Project Team
> > members:
...
> > The patches,
> > when they become available, may be found on ftp://ftp.x.org/pub/R6.4/fixes/.
> > The X Project Team only supplies patches for the latest release -- we do
> > not make patches for prior releases.
> What is this.  Is The Open Group now selling security patches only to
> their members?
That's about it I think.  TOG have change the distribution conditions
for X11R6.4 (and later) - check their website
(http://www.opengroup.org/tech/desktop/x/) for details.

> I asked the XFree86 people.  They have received no communication from TOG
> about this at all.
XFree86 have decided to stay with X11R6.3 because of the license changes
(see http://www.xfree86.org/news/pr-980407.html).

>  I think this is extremely bad ethics on the part of
> TOG to publish information on a security problem and then only give fixes
> to people who have given them money.
I tend to agree.  Their excuse will be that they don't patch old releases,
it's your choice not to stay current.

At present, there doesn't appear to be any restriction on
ftp://ftp.x.org/pub/R6.4/fixes/ (admittedly, it's empty).  If the
patches are publicly available, it may be possible to work out the
details of the bug and fix it in previous releases.

Peter
--
Peter Jeremy (VK2PJ)                    peter.jeremy () alcatel com au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5247