Below is a mail about a security issue about Makefile files generated by automake.
raster: maybe we should regeenrate the snapshots Vincent ---------- Forwarded message ---------- Date: Tue, 08 Dec 2009 15:48:03 -0800 From: Alan Coopersmith <[email protected]> To: X.Org Developers <[email protected]> Subject: X.Org releases & automake security issue CVE-2009-4029 The GNU automake maintainers today issued patches and a security advisory for a problem when running 'make dist*' on projects which had Makefile.in generated by versions of automake prior to the patch: http://lists.gnu.org/archive/html/autotools-announce/2009-12/msg00002.html This pretty much covers every X.Org modular release tarball ever made. Clearly X.Org will not be rebuilding all our past tarballs with new automake releases, as we simply don't have the people-power. It's unclear to me if we need to rebuild any releases at all, or just tell end users that if they're running 'make dist*' on a previously released tarball, on a system in which untrusted users could login or access the filesystem, they should run "autoreconf" first with a patched local automake install. Any opinions? X.Org developers/maintainers should move to patched versions of automake when possible for generating release tarballs going forward. -- -Alan Coopersmith- [email protected] Sun Microsystems, Inc. - X Window System Engineering _______________________________________________ xorg-devel mailing list [email protected] http://lists.x.org/mailman/listinfo/xorg-devel ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev _______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
