These Web pages are mirrored at the following locations:
The master web site is http://www.xfree86.org
XFree86 is a freely redistributable implementation of the X Window System that runs on UNIX(R) and UNIX-like operating systems (and OS/2). The XFree86 Project has traditionally focused on Intel x86-based platforms (which is where the `86' in our name comes from), but our current release also supports other platforms. One of our current goals is to increase the range of platforms that XFree86 runs on.
X11R6.4: for an update see below.
Vulnerabilities have been found in the XFree86 X servers. The problems are associated with buffer overflows in code that processes user-supplied data. All releases of XFree86 up to and including 3.3.2 patch 2 are vulnerable to these problems.
A source patch for these problems is available now. Updated binaries are also available. The updated binaries can be found in the X3323upd.tgz files and Servers and PC98-Servers directories in the appropriate subdirectories of the XFree86 3.3.2 binaries directory. Information about installing the updated binaries can be found in an updated version of the XFree86 3.3.2 Release Notes. The X3323upd.tgz update includes those things fixed in the previous updates (X3321upd.tgz,X3322upd.tgz), so it can be installed without first installing the previous updates.
Vulnerabilities have been found in the X11, Xt, Xaw and Xmu libraries. These affect xterm and all other setuid-root programs that use these libraries. The problems are associated with buffer overflows in code that processes user-supplied data. The Xt library problems include those fixed in TOG's recent public patch 3 for X11R6.3. All releases of XFree86 up to and including 3.3.2 patch 1 are vulnerable to some or all of these problems.
There is a denial of service problem with xdm which can result in both local and remote users crashing xdm.
A source patch for these problems is available now. Updated binaries are also available. The updated binaries can be found in the X3322upd.tgz files in the appropriate subdirectories of the XFree86 3.3.2 binaries directory. Information about installing the updated binaries can be found in an updated version of the XFree86 3.3.2 Release Notes. The X3322upd.tgz update includes those things fixed in the previous update (X3321upd.tgz), so it can be installed without first installing the previous update.
Addendum: The initial version of this patch contained a bug in the X11 library that would cause some X applications (including xterm) to crash at startup on Linux systems using libc5. No other systems are affected by this. This bug does not represent a security vulnerability. The source patch and affected binaries were updated on the morning of 26 May (US EST). The problem only shows up when neither of LANG or LC_CTYPE is set in the environment. A temporary workaround is to set LANG to "C".
Note that it is important to follow the instructions in those notes carefully, and that the updated xterm and xdm programs and the X libraries library must be installed to fix the problems. Also, the X332bin.tgz and X332lib.tgz files in the XFree86 3.3.2 binaries subdirectories still contain the original buggy versions. For new XFree86 3.3.2 installations it is important to extract the X3322upd.tgz tarball after extracting the others.
The Open Group recently released a security advisory concerning vulnerabilities in the xterm program and in the Xaw (Athena Widget) library. These particular problems are associated with buffer overflows in the code that processes the inputMethod and preeditType resources in both xterm and the Xaw library, and the *Keymap resources in xterm. The Xaw problems affect any setuid-root binaries that use the Xaw library (including xterm). The inputMethod and preeditType problems affect all releases of XFree86 from 3.0 to 3.3.2 (inclusive). The *Keymap problem affects all releases of XFree86 up to and including 3.3.2.
The Open Group's fixes for these problems are currently available only to its members (XFree86 is not a member). XFree86 is independently releasing its own fixes for these problems. A source patch is available now. Updated binaries for some OSs are also available now, and others will be available soon. The updated binaries can be found in the X3321upd.tgz files in the appropriate subdirectories of the XFree86 3.3.2 binaries directory. Information about installing the updated binaries can be found in an updated version of the XFree86 3.3.2 Release Notes.
Note that it is important to follow the instructions in those notes carefully, and that both the updated xterm program and Xaw library must be installed to fix the problem with xterm. Also, the X332bin.tgz and X332lib.tgz files in the XFree86 3.3.2 binaries subdirectories still contain the original buggy versions. When doing an new XFree86 3.3.2 installation it is important to extract the X3321upd.tgz after extracting the others.
In response to the recent change in X11 licensing by The Open Group (TOG), XFree86 has decided to continue development based on the freely available X11R6.3 sample implementation. For further details, see our press release on this subject.
[20 September 1998]
According to information on The Open Group website, the licensing of X11R6.4 has been changed back to the traditional X Window Style Copyright. Therefore we are planning to include X11R6.4 into our XFree86-4.0 release.
Metro Link Incorporated has been working closely with XFree86 on some important parts of our next major release (XFree86 4.0). This has included donating many of their developments and enhancements back to the XFree86 Project. Follow this link for further details. The XFree86 Project is appreciative of the significant contribution that this represents.
Note: we don't have even a tentative release date for XFree86 4.0 yet, so please don't ask about that.
XFree86-3.3.2 is now available!
There are quite a few bug fixes in this release. If you are having problems with a prior release, please try XFree86-3.3.2 first before asking for help.
Highlights of the new release include
Before asking a question or submitting a bug report, please check the FAQ.
We don't have the resources to reply to questions already covered by the FAQ. Also, please don't send us questions that are not directly about XFree86 (Some examples of things not directly about XFree86 includes things like fvwm, general X programming, Linux, Windows 3.x, Win95, Win-NT or any other operating system XFree86 doesn't support, etc).
S.u.S.E. GmbH, one of the major supporters of XFree86, has started to release a small series of their own X servers. These servers are based on XFree86 code and released with permission of The XFree86 Project, Inc. All work related to these servers is contributed back to XFree86, these servers will be included in XFree86's next public release.
This is what happened in XFree86-3.3.2 with all XSuSE servers except for XSuSE_Elsa_GLoria. The reasons for not including XSuSE_Elsa_GLoria were purely legal ones and outside the control of S.u.S.E. GmbH or The XFree86 Project, Inc.
Currently XSuSE_Elsa_GLoria is available for some cards from Elsa (Elsa GLoria L, GLoria L/MX, GLoria S, GLoria Synergy, Winner Office/2000; similar cards from other vendors (like Diamonds Fire GL 1000, GL 1000 PRO, and 3000; many other Permedia 2 based cards) should work with this server as well).
Check the XSuSE webpage for more details about these servers. Please contact SuSE's XSuSE support address with all comments, questions, or reports regarding these servers.
The XFree86 Project, Inc is a non-profit organisation that produces XFree86, the X Window server for PC based UNIX(R) and UNIX-like systems.
If you obtain XFree86 software in its original or a derived form, from an entity other than The XFree86 Project, Inc. (or one of our Internet mirror sites), please consider using vendors which support our work in the form of donations. You can find a complete list of those vendors on our sponsors page. In particular, some CD-ROM vendors provide financial support to our project, whereas others don't or will only do so under unacceptable constraints.
In addition, please consider donating if you find our software a useful component of your computing environment. Without this financial support, our continued progress will be hindered.
One of the XFree86 Project's scarcest and most valued resources is its developers. We're never short on things that need to be done, just short of people to do them. If you're interested in donating some of your spare time to help advance XFree86, we'd like to hear from you. A lot of our work is in the area of video drivers, but we also need people working in other areas, like X11 libraries and client code, and in maintaining and improving our documentation. Information about becoming an XFree86 developer can be found on our developer page.
UNIX is a registered trademark of The Open Group
The Open Group and X Window System are trademarks of The Open Group
Metro Link is a trademark of Metro Link Incorporated
S.u.S.E is a trademark of S.u.S.E, GmbH
Intel is a registered trademark of Intel Corporation
All other trademarks are the property of their respective owners.
The XFree86 logo was created by Gary Swofford.