Date: Wed, 4 Feb 1998 10:18:04 -0500 (EST)
From: Erik Troan <ewt@redhat.com>
To: redhat-announce-list@redhat.com
Subject: SECURITY: X server security holes

-----BEGIN PGP SIGNED MESSAGE-----


Various problems have been found in the X server which makes it a serious
threat to system security. All versions of the X server, including Metro X
and Accelerated X, are thought to be affected (only XFree86 and the MIT X 
reference implementation are *known* to be, however).  This problem affects
all Red Hat Linux platforms and versions.

Currently, no new X servers are available. Instead, Red Hat recommends
removing the special permissions from the X server binary (the setuid
bit), and using a wrapper program which is now on ftp.redhat.com. To do
this, follow the following steps. The order is quite important, so please
follow these instructions carefully.

	1) Remove the setuid bit from all X servers installed on your
	   system with the following command:

		chmod u-s /usr/X11R6/bin/X*

	2) Install the updated Xconfigurator package (details below)

	3) Install the new xserver-wrapper package (details below)

	4) If you are running Accelerated X, run the following command:

		ln -sf /usr/X11R6/bin/Xaccel /etc/X11/X

	   if you are not running Accelerated X, do not do this step!

After these steps have been completed, X should functions as usual.

This information will appear on the Errata for Red Hat Linux 4.2 and
Red Hat Linux 5.0 shortly. 

Thanks to everyone on BUGTRAQ who brought these problems to our attention.

Red Hat 5.0
- -------------

i386:
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/Xconfigurator-3.26-1.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/xserver-wrapper-1.1-1.i386.rpm

alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/Xconfigurator-3.26-1.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/xserver-wrapper-1.1-1.alpha.rpm

Red Hat 4.2
- -------------

i386:
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/Xconfigurator-2.6.1-1.i386.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/xserver-wrapper-1.1-0.i386.rpm

alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/Xconfigurator-2.6.1-1.alpha.rpm
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/xserver-wrapper-1.1-0.alpha.rpm

SPARC:
rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/xserver-wrapper-1.1-0.sparc.rpm


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNNiGsqUg6PHLopv5AQHsHgP/aPPd9omBYNM+ie1zOH+pxLRzouz/I6cq
gdfzsb+0Wo/b6+0mIyAuKct5S1MQP695yx62EEMu6j/y54+jj2dTkGpNpdohbt3+
jRGwxyQ6lHv2na/IFFKYPSYJdVT5bRbKz+/Tpi4AxYYYW1pIe57P9xxGB7aRV3f1
veW8HK4mvbU=
=s3yj
-----END PGP SIGNATURE-----

-- 
To unsubscribe:
mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null