On Wednesday, 14 May 2008, at 19:17:25 (-0400), Enlightenment CVS wrote: > Enlightenment CVS committal > > Author : mej > Project : eterm > Module : Eterm > > Dir : eterm/Eterm > > > Modified Files: > ChangeLog > > > Log Message: > Wed May 14 16:09:04 2008 Michael Jennings (mej) > > (Correct) fix for CVE-2008-1692. Eterm no longer defaults to using > ":0" for $DISPLAY due to the possibility that an attacker can create a > fake X server on a shared system, intercept the Eterm X connection, > and send fake keystrokes to the victim's Eterm to execute arbitrary > commands as that user. > > The previous fix, while it did indeed correct the vulnerability, broke > the --display option. The original fix from Bernhard Link was more > correct, albeit not quite on target. > ----------------------------------------------------------------------
I'm going to give a few days for this and other changes committed today to settle out, after which I will release 0.9.5 as a security update. Please let me know ASAP if you encounter trouble with these changes. Consider CVS at this point a release candidate. Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ <[EMAIL PROTECTED]> Linux Server/Cluster Admin, LBL.gov Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "From lost and not found, to run and not hide, my hand inside Your hand. Losing my grip, falling so far, my hand inside Your hand." -- Jars of Clay, "Hand" ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
