[LWN Logo]

To: redhat-watch-list@redhat.com
Subject: SECURITY:  CDE Client and Developer Editions
Date: Fri, 25 Sep 1998 16:12:17 -0400
From: Hilary Stokes <hilary@redhat.com>



SECURITY:  CDE Client and Developer Editions

It has recently come to the attention of Red Hat Software that there
are significant security holes in CDE.  All users are affected, both those
who purchased CDE Client and those who purchased CDE Developer that runs on 
Red Hat Linux 4.0 up to 5.1.

Description of the problem: Several exploits have been found that allow 
any user on your network to gain full access to your CDE session.  There 
are also bugs that allow local users to that machine to gain root access.
This allows anyone that accesses your machine to change files, delete
files, and commit other malicious actions.  Because CDE is not Open 
Source software, we have no ability to fix either the minor bugs that have 
been reported over the last year, or these more important security bugs.

Solution:  There is currently no fix available for these security problems.
If CDE is necessary for your application, you can contact XiGraphics at 
http://www.xigraphics.com.  If you are looking for a localized desktop
environment, our recommendation is to upgrade to the new GNOME desktop, 
where betas are currently available at http://www.gnome.org. 

Red Hat Software will no longer distribute CDE effective immediately, but
will continue to support the copies of CDE that have been purchased 
up to this point. We will also be providing a $50 credit towards future 
purchases of official Red Hat Software products made directly from Red Hat 
Software for all who have purchased Red Hat's TriTeal CDE Client or 
Developer edition. 

Please follow the following procedure to obtain credit.

1)  If you purchased from a reseller Send your CDE CD-ROM to 
CDE Returns
Red Hat Software
P.O. Box 13588 (for U.S. mail returns)
79 T.W. Alexander Dr.
Bldg 4201, Suite 100
Research Triangle Park, NC 27709

2)  If you purchased directly from Red Hat Software, call our sales
office at 888-REDHAT1 and they will assist you.

Thank you for supporting the Open Source model.





-- 
         To unsubscribe: mail redhat-watch-list-request@redhat.com with 
                       "unsubscribe" as the Subject.