[6637] in bugtraq
Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Thu Apr 30 17:31:03 1998
Date: Thu, 30 Apr 1998 14:43:46 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Aleph One <aleph1@NATIONWIDE.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 27 Apr 1998 19:32:10 CDT."
<Pine.SUN.3.94.980427193145.2460A-100000@dfw.dfw.net>
> Patches to address this vulnerability have been given to X Project Team
> members:
>
> Astec
> Attachmate
> BARCO Chromatics
> CliniComp International
> Digital
> Hewlett-Packard
> Hitachi
> Hummingbird Communications
> IBM
> Jupiter Systems
> Metro Link
> Network Computing Devices
> NetManage
> Peritek
> Seaweed Systems
> Sequent Computer Systems
> Shiman Associates
> Silicon Graphics
> Societe Axel
> Siemens Nixdorf
> Starnet
> SunSoft
> WRQ
> Xi Graphics
>
> The X Project Team periodically makes public patches available to fix a
> variety of problems. Announcements about the availability of these patches
> is announced on the Usenet comp.windows.x.announce newsgroup. The patches,
> when they become available, may be found on ftp://ftp.x.org/pub/R6.4/fixes/.
> The X Project Team only supplies patches for the latest release -- we do
> not make patches for prior releases.
>
> Information on joining The Open Group can be found at
>
> http://www.opengroup.org/howtojoin.htm
What is this. Is The Open Group now selling security patches only to
their members?
I asked the XFree86 people. They have received no communication from TOG
about this at all. I think this is extremely bad ethics on the part of
TOG to publish information on a security problem and then only give fixes
to people who have given them money.
Secondly, I think CERT has been somewhat negligent in letting this
kind of advisory through; don't they ussually say they have a policy of
making sure all the vendors have been contacted?
Considering how many thousands and thousands of people use XFree86, what
happened here, did CERT forget about them?
