From owner-freebsd-security  Thu Aug 17 18:57:10 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.129.65])
	by hub.freebsd.org (Postfix) with ESMTP
	id BF44337BBA7; Thu, 17 Aug 2000 18:52:08 -0700 (PDT)
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id F18426E41DD; Thu, 17 Aug 2000 16:52:52 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Thu, 17 Aug 2000 16:51:00 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id QAA88650;
	Thu, 17 Aug 2000 16:51:50 -0700 (PDT)
	(envelope-from cjc)
Date: Thu, 17 Aug 2000 16:51:49 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: freebsd-security@freebsd.org, security-officer@freebsd.org
Subject: xlock Vulnerability Misrepresented at Bugtraq
Message-ID: <20000817165149.A88516@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I noticed this and sent an email to the original poster of the
vulnerability, but no reply. If you go to,

  http://www.securityfocus.com/vdb/bottom.html?vid=1585

You will see this is listed as a FreeBSD vulnerability. It is not per
se. 

  1) X is not part of FreeBSD. But FreeBSD distributes XFree86 with
     its CDs and from most FTP sites.

  2) No xlock executable comes with the default XFree86 distribution
     for FreeBSD, package or port.

  3) You need to install the 'xlockmore' to get the vulnerable xlock
     to which the original Bugtraq poster was refering.

I think this needs to be straightened out:

  FreeBSD itself is not vulnerable. FreeBSD with the distributed
  XFree86 is not vulnerable. FreeBSD users are only vulnerable if you
  have aded the xlockmore port, other xlock tool, or a X distribution
  with a vulnerable xlock on your own. 

Am I right here? I can't find xlock on my FreeBSD machines
anyway. Even the ones with XFree86.
-- 
Crist J. Clark                           cjclark@alum.mit.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message