On Sat, Oct 29, 2011 at 03:03:49PM -0400, Michael Gilbert wrote: > > On Sat, Oct 29, 2011 at 13:38:47 -0400, Michael Gilbert wrote: > >> On Fri, Oct 21, 2011 at 3:12 PM, Julien Cristau wrote: > >> I wonder if at least this one should be treated with a real urgency? > >> On the surface its an info disclosure issue, which tend to be very low > >> urgency, but it's a pretty bad once since its actually a disclosure of > >> any file on the system (e.g. /etc/shadown), and there is an existing > >> poc exploit: > >> http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt > >> > > Moritz said "use p-u", I'm not going to second-guess him. > > This was before the real impact of the issue was clear (I believe), > and definitely before the exploit code existed. Personally, I think > this needs to get out to squeeze users ASAP.
Sorry for disclosing the exploit but for your information, when I discovered this vulnerability, the first thing I did is to send an email to secur...@debian.org, it contained a full description and the PoC (exploit) you are talking about (encrypted mail sent on Oct 9th 2011). I never get any feedback. Is secur...@debian.org still the good way to report vulnerabilities? Regards, vladz. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111127193647.ga23...@devzero.fr