Upstream changelog for version 4.4.2 lists:
# Allocate copy of passed cliend id, program name and working directory in
session management, in case the application frees the data.
# Properly deal with %-starting 'field codes' in commands from .desktop files.
Not sure if those are vulnerabilities at all, I'm not that familiar with XFCE code. Better safe than sorry, I'd say. ;)
Don't have any further details here either.
Bleh, sorry for the bug spam. Getting the summary right is hard. ;)
It was wrong before, should be better now, but I'm still not sure.
First issue, libxfce4gui:
The "%" one:
xfce: ok for 4.4.2 going stable?
(In reply to comment #4)
> xfce: ok for 4.4.2 going stable?
All but MIPS stable on bug 201747, setting GLSA.
The % issue is not a security problem, as it only means that %U and other strings do not get removed from Exec calls in .desktop files.
CVE-2007-6532 was assigned to the double free.
(In reply to comment #9)
> GLSA 200801-06
. . . I know the GLEP was already sent and posted to the forums, but you should be aware that I finally removed the Upgrading section last month, as 4.2 was removed from Portage a looooooong time ago. Even 4.4 and 4.4.1 have been removed from the tree. Anyway, the upgrade path outlined in the guide no longer exists; drac had been doing many ebuild changes so that it would have required different procedures.
Users will have to visit CVS to see the last version of the guide with that chapter.
Thanks for pointing that out, I removed the reference.