To: redhat-watch-list@redhat.com Subject: SECURITY: CDE Client and Developer Editions Date: Fri, 25 Sep 1998 16:12:17 -0400 From: Hilary Stokes <hilary@redhat.com> SECURITY: CDE Client and Developer Editions It has recently come to the attention of Red Hat Software that there are significant security holes in CDE. All users are affected, both those who purchased CDE Client and those who purchased CDE Developer that runs on Red Hat Linux 4.0 up to 5.1. Description of the problem: Several exploits have been found that allow any user on your network to gain full access to your CDE session. There are also bugs that allow local users to that machine to gain root access. This allows anyone that accesses your machine to change files, delete files, and commit other malicious actions. Because CDE is not Open Source software, we have no ability to fix either the minor bugs that have been reported over the last year, or these more important security bugs. Solution: There is currently no fix available for these security problems. If CDE is necessary for your application, you can contact XiGraphics at http://www.xigraphics.com. If you are looking for a localized desktop environment, our recommendation is to upgrade to the new GNOME desktop, where betas are currently available at http://www.gnome.org. Red Hat Software will no longer distribute CDE effective immediately, but will continue to support the copies of CDE that have been purchased up to this point. We will also be providing a $50 credit towards future purchases of official Red Hat Software products made directly from Red Hat Software for all who have purchased Red Hat's TriTeal CDE Client or Developer edition. Please follow the following procedure to obtain credit. 1) If you purchased from a reseller Send your CDE CD-ROM to CDE Returns Red Hat Software P.O. Box 13588 (for U.S. mail returns) 79 T.W. Alexander Dr. Bldg 4201, Suite 100 Research Triangle Park, NC 27709 2) If you purchased directly from Red Hat Software, call our sales office at 888-REDHAT1 and they will assist you. Thank you for supporting the Open Source model. -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject.