by mail.netbsd.org with SMTP; 24 Jul 2000 14:48:51 -0000
	id 026D01E00AD; Mon, 24 Jul 2000 10:48:46 -0400 (EDT)
From: "Perry E. Metzger" <perry@wasabisystems.com>
To: hubert.feyrer@informatik.fh-regensburg.de
Cc: tech-x11@netbsd.org, tech-security@netbsd.org
Subject: Re: Weekly BSD Security Digest 2000/07/10 to 2000/07/16
References: <Pine.GSO.4.10.10007210313510.11355-100000@rfhpc8320.fh-regensburg.de>
Date: 24 Jul 2000 10:48:46 -0400
In-Reply-To: Hubert Feyrer's message of "Fri, 21 Jul 2000 03:16:47 +0200 (MET DST)"
Message-ID: <87wviblh2p.fsf@snark.piermont.com>
Lines: 26


Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de> writes:
> The Weekly BSD Security Digest 2000/07/10 to 2000/07/16
> (http://www.securityportal.com/topnews/weekly/bsd20000717.html) mentions
> some X holes in viarous parts of X: libICE, X server, libX11.  
> 
> Are we affected by these?

BTW, some years ago my company contributed a patch to the X folks that
allows you to run X without having it listen to the network at all --
see the --nolisten tcp option. I've run all my X servers this way ever
since.

I highly recommend that people run their X systems this way. It
eliminates a whole host of worries about security. Sure, someone could
still break root on your machine locally, but for things like single
user workstations, it eliminates the entire worry about X being
insecure over the wire.

I almost think we should make this the shipped default for NetBSD but
it would break a few people.

--
Perry E. Metzger		perry@wasabisystems.com
--
Quality NetBSD Sales, Support & Service. http://www.wasabisystems.com/