[ SOURCE: http://www.secureroot.com/security/advisories/9719817670.html ]

Problem:



XFCE 3.5.1 ships with the following entry in /etc/X11/xfce/xinitrc:



xhost +$HOSTNAME



If a person is using this on a multiuser system, all local users may connect to their X session and capture keystrokes, etc.



Fix:



Upgrade to XFCE 3.5.2. The offending line has been commented out.



Cheers,

Nick