Upstream changelog for version 4.4.2 lists: # Allocate copy of passed cliend id, program name and working directory in session management, in case the application frees the data. # Properly deal with %-starting 'field codes' in commands from .desktop files. Not sure if those are vulnerabilities at all, I'm not that familiar with XFCE code. Better safe than sorry, I'd say. ;) Don't have any further details here either.
Bleh, sorry for the bug spam. Getting the summary right is hard. ;) It was wrong before, should be better now, but I'm still not sure.
First issue, libxfce4gui: 4.4: http://svn.xfce.org/index.cgi/xfce4/revision?rev=25554 trunk: http://svn.xfce.org/index.cgi/xfce4/revision?rev=25555
The "%" one: 4.4: http://svn.xfce.org/index.cgi/xfce4/revision/?rev=25677
xfce: ok for 4.4.2 going stable?
(In reply to comment #4) > xfce: ok for 4.4.2 going stable? > bug 201747
All but MIPS stable on bug 201747, setting GLSA.
The % issue is not a security problem, as it only means that %U and other strings do not get removed from Exec calls in .desktop files.
CVE-2007-6532 was assigned to the double free.
GLSA 200801-06
(In reply to comment #9) > GLSA 200801-06 > . . . I know the GLEP was already sent and posted to the forums, but you should be aware that I finally removed the Upgrading section last month, as 4.2 was removed from Portage a looooooong time ago. Even 4.4 and 4.4.1 have been removed from the tree. Anyway, the upgrade path outlined in the guide no longer exists; drac had been doing many ebuild changes so that it would have required different procedures. Users will have to visit CVS[1] to see the last version of the guide with that chapter. [1] http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/xfce-config.xml?rev=1.14&view=markup
Thanks for pointing that out, I removed the reference.