X.Org releases & automake security issue CVE-2009-4029

[Alan Coopersmith]

The GNU automake maintainers today issued patches and a security advisory
for a problem when running 'make dist*' on projects which had Makefile.in
generated by versions of automake prior to the patch:
  http://lists.gnu.org/archive/html/autotools-announce/2009-12/msg00002.html

This pretty much covers every X.Org modular release tarball ever made.
Clearly X.Org will not be rebuilding all our past tarballs with new
automake releases, as we simply don't have the people-power.

It's unclear to me if we need to rebuild any releases at all, or just
tell end users that if they're running 'make dist*' on a previously
released tarball, on a system in which untrusted users could login or
access the filesystem, they should run "autoreconf" first with a patched
local automake install.   Any opinions?

X.Org developers/maintainers should move to patched versions of automake
when possible for generating release tarballs going forward.

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering