x11-apps/xinit should ship a file /etc/X11/xinit/xserverrc that contains: -br -nolisten tcp Instead of shipping this patch, x11-apps/xinit/files/nolisten-tcp-and-black-background.patch which is then only used by startx, leaving other starting methods, like startxfce4 vulnerable to remote attacks (open tcp 6000) Starting from Xfce 4.4.2 this is worked around by, xfce-base/xfce-utils/files/xfce-utils-4.4.2-nolisten-tcp.patch
Just to be clear, both startx and startxfce4 can use this standard xserverrc. Debian ships one, we should also.
I'm not sure why security is CC'd on here, as being open on port 6000 does not in itself cause any vulnerabilities. Remote users still require authentication (e.g., via xauth) to access X. Right now, I know gdm, kdm and startx all don't listen on 6000 by default, and I think xdm, which nobody uses, still does. There is bug #193044 for that, which this appears to be a duplicate of.
No point in having to bugs then. *** This bug has been marked as a duplicate of bug 193044 ***