tremulous_1.1.0-7~squeeze1_i386.changes ACCEPTED into proposed-updates

Debian FTP Masters ftpmaster at ftp-master.debian.org
Mon Mar 26 18:33:04 UTC 2012 


Notes:
Mapping stable to proposed-updates.


Accepted:
tremulous-doc_1.1.0-7~squeeze1_all.deb
  to contrib/t/tremulous/tremulous-doc_1.1.0-7~squeeze1_all.deb
tremulous-server_1.1.0-7~squeeze1_i386.deb
  to contrib/t/tremulous/tremulous-server_1.1.0-7~squeeze1_i386.deb
tremulous_1.1.0-7~squeeze1.debian.tar.gz
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.debian.tar.gz
tremulous_1.1.0-7~squeeze1.dsc
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.dsc
tremulous_1.1.0-7~squeeze1_i386.deb
  to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1_i386.deb


Changes:
tremulous (1.1.0-7~squeeze1) stable; urgency=low
 .
  * Stable update (#663104), incorporating security fixes from unstable
  * Fix an incorrect bug number in revision -6
 .
tremulous (1.1.0-7) unstable; urgency=medium
 .
  * Add a lintian override for embedded-library libjpeg (#589407) to avoid
    auto-rejection. It is a valid bug, but is not a regression, and fixing
    several long-standing security vulnerabilities seems more important
    than getting rid of an embedded library that is not known to be
    exploitable.
 .
tremulous (1.1.0-6) unstable; urgency=medium
 .
  * Backport patches from ioquake3 to fix long-standing security bugs:
    - CVE-2006-2082: arbitrary file download from server by a malicious client
      (Closes: #660831)
    - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
      COM_StripExtension, exploitable in clients of a malicious server
      (Closes: #660827)
    - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
      malicious server (Closes: #660830)
    - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
      server (Closes: #660832)
    - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
      code execution) in clients of a malicious server (Closes: #660834)
    - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
      code execution) in clients of a malicious server if auto-downloading
      is enabled (Closes: #660836)
  * As a precaution, disable auto-downloading
  * Backport ioquake3 r1141 to fix a potential buffer overflow in error
    handling (not known to be exploitable, but it can't hurt)
  * Add gcc attributes to all printf- and scanf-like functions, and
    fix non-literal format strings (again, none are known to be exploitable)


Override entries for your package:
tremulous-doc_1.1.0-7~squeeze1_all.deb - optional contrib/doc
tremulous-server_1.1.0-7~squeeze1_i386.deb - optional contrib/games
tremulous_1.1.0-7~squeeze1.dsc - source contrib/games
tremulous_1.1.0-7~squeeze1_i386.deb - optional contrib/games

Announcing to debian-changes at lists.debian.org
Closing bugs: 660827 660830 660831 660832 660834 660836 


Thank you for your contribution to Debian.

More information about the Pkg-games-devel mailing list