Subject: Re: CVS commit: xsrc/xc
To: Jim Wise <jwise@draga.com>
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
List: tech-x11
Date: 09/10/2002 14:16:10
>>>	try a diff between these two code.  they are identical!
>>Are they used the same way?  Is the code path leading to them the same?
>
>	yes.
>
>>Is there a reason that both XFree.org and our X11 maintainer seem to
>>have concluded that the XF86 3 code is not vulnerable?  Wouldn't it seem
>>to warrant checking with said maintainer before changing code this close
>>to a release?
>
>	i'm not too sure if XFree86 team cares about 3.3.x any longer.
>	so it is uncertain if "no announcement about XF86 3.3.x" means "3.3.x
>	is safe" or "3.3.x is no longer maintained".

	they try to issue 3.3.x announcements, but having problem in doing so
	(human resource shortage/lack of interest, it seems)

>	i sent a question to them, so we will find out.

	there are three security issues in 4.2.1, and two of them applies to
	3.3.6.  zlib issue does not apply to netbsd as we ship with
	/usr/lib/libz.a (so zlib in X tree is not in use).  so i was right
	about pulling these fixes up to our xsrc.

itojun