From owner-freebsd-stable Tue May 30 2:53:18 2000 Delivered-To: freebsd-stable@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id C9A3737B517; Tue, 30 May 2000 02:53:15 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id CAA79692; Tue, 30 May 2000 02:53:15 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 30 May 2000 02:53:15 -0700 (PDT) From: Kris Kennaway To: Chad Ziccardi Cc: stable@freebsd.org Subject: Re: Xfree-4 WAS: Re: Proper method of updating XFree86 In-Reply-To: <392B6647.887DCBBA@bellatlantic.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 24 May 2000, Chad Ziccardi wrote: > If the port maintainer knows the problem and thus it's marked forbidden, > why not just fix it? Maybe I'm off base here, and thus I apologize. It's not the responsibility of the ports maintainers to fix security holes introduced by the program authors. It's taken us quite a while to get a patch out of XFree86 to fix this, but this particular local root hole should be fixed soon. Of course, since XFree86 4.0 doesn't do any kind of argument limiting like previous versions did (via XWrapper) I'd still be careful installing it on a multiuser system (and I'll probably add a note to the port stating as such) Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message