xfce 4.4.2 test packages ready

Brian J. Tarricone bjt23 at cornell.edu
Sun Nov 18 08:30:18 CET 2007


On Sun, 18 Nov 2007 08:03:09 +0200 Samuli Suominen wrote:

> Xfce is getting released with open CVE
> ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3770 )
> 
> while it's fixed in trunk?

I wasn't aware of this.  At any rate:

1.  I disagree with their severity rating of 'High'.  An attacker has
to a) somehow get a URL to display in Terminal, which is difficult (I
don't imagine too many people run a text-mode web browser or interact
with *too* much untrusted data in a terminal), and then, the user has
to middle-click on it (not just click; middle-click), which is of
rather low to medium probability.  Note that the kinds of people who
are foolish enough to click on links of that nature are not the kinds
of people who would end up using Terminal all that much.  Yes, it
should be fixed.  Is it that big a deal?  No.

2.  Benny will do new releases of Terminal, Thunar, and libexo in the
next couple weeks.  If you'd read the README, you'd know this.  I'll
probably remove the Terminal package (which is the same one released
with 4.4.1), though.  Thunar and libexo are more or less essential for
some of the features in the base Xfce distribution, hence why I
included copies of the current version, but Terminal is not.

> Also Thunar 0.8.0 has a known issue, segfaulting with exif data on big
> endian machines fixed in trunk..

Again, this will be addressed in the next release in a couple weeks.

Note that Terminal and Thunar don't have 'xfce_4_4' branches like the
rest of the modules, so the new release will come off of SVN trunk.

	-brian



More information about the Xfce4-dev mailing list