Joerg Sonnenberger wrote: > On Tue, Jun 09, 2009 at 07:05:47AM -0700, Alan Coopersmith wrote: >> Joerg Sonnenberger wrote: >>> On Mon, Jun 08, 2009 at 04:20:00PM -0400, Adam Jackson wrote: >>>> Security is handled out of band like any other project. We'll release >>>> patches for at least the most recent release, probably do a point >>>> release for same, and anyone shipping anything older gets to backport. >>> In practise, this didn't happen though. I don't care about most other >>> parts, but this one is and was a huge regression compared to the >>> monolithic word. >> Which part doesn't happen? I don't see any difference in our patch releases >> compared to monolithic days, and don't know of any security bugs we know of >> and have failed to release patches for. > > The part of point releases never happened and the process of what > patches are needed was quite a bit easier for the monolithic tree. > E.g. the patches for the monolithic tree effectively replaced the point > releases. I can point at least to the libXfont-1.3.1 release and the > buffer overflow with the readlink usage that never was addressed via > patch.
Assuming you mean http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=5bf703700ee4a5d6eae20da07cb7a29369667aef the patch is available from git, like all other changes. I can't find much discussion in the xorg_security list mail in my inbox archives (list archives obviously aren't public) but it looks like no one declared that they believed it was an exploitable security issue, just a bug, so we didn't go through the security release process for it. (There was no CVE or security alert issued either.) -- -Alan Coopersmith- [email protected] Sun Microsystems, Inc. - X Window System Engineering _______________________________________________ xorg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xorg
