Bug#406400: nexuiz: Open security fixes in Etch
Moritz Muehlenhoff
jmm at inutil.org
Thu Jan 11 19:14:32 CET 2007
On Thu, Jan 11, 2007 at 05:35:25AM +0100, Cyril Brulebois wrote:
> Moritz Muehlenhoff <jmm at debian.org> (10/01/2007):
> > I'm currently busy and hadn't had the time to investigate it myself
> > yet, but it should be tracked for Etch:
> > - fixed fake players DoS (CVE-2006-6609)
> > - fixed clientcommands remote console command injection (CVE-2006-6610)
> >
> > If the second vulnerability refers to shell command execution and not
> > to some kind of in-game-console ala Quake this warrants an RC security
> > bug.
>
> By googling on the CVE IDs, I found a site[1] stating that it is about
> shell command execution:
>
> ``A remote attacker could exploit this vulnerability to execute
> arbitrary commands on the system.''
>
> 1. http://xforce.iss.net/xforce/xfdb/30875
Security databases typically don't investigate very much; they only
provide a quick write-up. Can you please contact upstream?
> Since 2.2.1-1 has been in sid for 26 days, I was wondering whether
> pushing this version into etch would an acceptable fix.
I agree that would be a viable approach. It also features better multi-player
compatibility.
Cheers,
Moritz
More information about the Pkg-games-devel
mailing list