Subject: Re: Weekly BSD Security Digest 2000/07/10 to 2000/07/16
To: Perry E. Metzger <perry@wasabisystems.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-x11
Date: 07/24/2000 13:27:19
On Mon, Jul 24, 2000 at 10:48:46AM -0400, Perry E. Metzger wrote:
> 
> Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de> writes:
> > The Weekly BSD Security Digest 2000/07/10 to 2000/07/16
> > (http://www.securityportal.com/topnews/weekly/bsd20000717.html) mentions
> > some X holes in viarous parts of X: libICE, X server, libX11.  
> > 
> > Are we affected by these?
> 
> BTW, some years ago my company contributed a patch to the X folks that
> allows you to run X without having it listen to the network at all --
> see the --nolisten tcp option. I've run all my X servers this way ever
> since.

An issue to be aware of that trips up many folks running X carefully is
that this doesn't prevent *xdm* from listening to the network, allowing
anyone who runs X -query foo.bar.com to talk to the XDM on foo.bar.com and
attempt to exploit any vulnerabilities it may have.

Thor