-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 25 Mar 2012 13:53:09 +0100 Source: tremulous Binary: tremulous tremulous-server tremulous-doc Architecture: source i386 all Version: 1.1.0-7~squeeze1 Distribution: stable Urgency: medium Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org> Changed-By: Simon McVittie <smcv@debian.org> Description: tremulous - Aliens vs Humans, team based FPS game with elements of an RTS tremulous-doc - Tremulous documentation tremulous-server - Tremulous server Closes: 660827 660830 660831 660832 660834 660836 Changes: tremulous (1.1.0-7~squeeze1) stable; urgency=low . * Stable update (#663104), incorporating security fixes from unstable * Fix an incorrect bug number in revision -6 . tremulous (1.1.0-7) unstable; urgency=medium . * Add a lintian override for embedded-library libjpeg (#589407) to avoid auto-rejection. It is a valid bug, but is not a regression, and fixing several long-standing security vulnerabilities seems more important than getting rid of an embedded library that is not known to be exploitable. . tremulous (1.1.0-6) unstable; urgency=medium . * Backport patches from ioquake3 to fix long-standing security bugs: - CVE-2006-2082: arbitrary file download from server by a malicious client (Closes: #660831) - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on COM_StripExtension, exploitable in clients of a malicious server (Closes: #660827) - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a malicious server (Closes: #660830) - CVE-2006-3324: arbitrary file overwriting in clients of a malicious server (Closes: #660832) - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary code execution) in clients of a malicious server (Closes: #660834) - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary code execution) in clients of a malicious server if auto-downloading is enabled (Closes: #660836) * As a precaution, disable auto-downloading * Backport ioquake3 r1141 to fix a potential buffer overflow in error handling (not known to be exploitable, but it can't hurt) * Add gcc attributes to all printf- and scanf-like functions, and fix non-literal format strings (again, none are known to be exploitable) Checksums-Sha1: 093c757c268baf294ca21bf5c3134f1b27c63ccd 1886 tremulous_1.1.0-7~squeeze1.dsc 824556728fc2c6d25e1236aa73cefd20cf798c80 39677 tremulous_1.1.0-7~squeeze1.debian.tar.gz b660cef21e1d446fa3319883c51d3d6b5ef51106 674826 tremulous_1.1.0-7~squeeze1_i386.deb 06a0f1fd077587c19793cb35fabf887376087e26 351748 tremulous-server_1.1.0-7~squeeze1_i386.deb b7e0b2fe05cb5c3cbd327d69e8f9397ba51440c4 645994 tremulous-doc_1.1.0-7~squeeze1_all.deb Checksums-Sha256: 1ee9da033efeb695a4466f6d21750176ac0114ef0f58731d93fe830104e477ed 1886 tremulous_1.1.0-7~squeeze1.dsc d6b0e3e4fe5362e82970d0bc7122485d9ceaf501eb1d842c212bc3811e61c61f 39677 tremulous_1.1.0-7~squeeze1.debian.tar.gz c44056831bce32a472cac71c256642e3b2ea6d98731ef0b374b7f3491e9b93fd 674826 tremulous_1.1.0-7~squeeze1_i386.deb 29b9b41418ea60ff11c99758e42a157c7776165f435eae36f9d0d2b240466d8f 351748 tremulous-server_1.1.0-7~squeeze1_i386.deb acb7a04f9648594d97c3a05eb0d71d847425d13b5b9e239e41977fa62313b419 645994 tremulous-doc_1.1.0-7~squeeze1_all.deb Files: 1aa63c3fa97393579591711e3c9768c9 1886 contrib/games optional tremulous_1.1.0-7~squeeze1.dsc 119bddb6b3b70513798a8c991d22668e 39677 contrib/games optional tremulous_1.1.0-7~squeeze1.debian.tar.gz b6fa83d46a72a0375642ef689f24239b 674826 contrib/games optional tremulous_1.1.0-7~squeeze1_i386.deb 6909f73b47b0336243e22b5767e95a48 351748 contrib/games optional tremulous-server_1.1.0-7~squeeze1_i386.deb 112bab3c2a43ee9218e1a66d65539b12 645994 contrib/doc optional tremulous-doc_1.1.0-7~squeeze1_all.deb -----BEGIN PGP SIGNATURE----- iQIVAwUBT29a8k3o/ypjx8yQAQj2ZA/+Mxdi5FUwSyH3uZZM8pwpk2rZdNjmb2tg ZNhCjH35iscLxb5vWmBXiO/GXI1THcQQCfbh7Ciwznf7azD+vItwxMgz8X8GAcco M39v4H+uewFkNs+yFFqBJgVGZ5F85ZyNSiCXyZa0kvA9tvXt8Mmte/D39MEiG+JD JyyDJ6zFcfNNIc9x48pR0Mp/GWt70dxFzv5v4fwRebYcIjczGsUMIk74O+spEx0v fAcboohekqgJuNToKYjiReFbSKbhzNi1oEC6cXRlxybZLSqdGKUzluttyRsosYqM KgkbdiWGYMkbd7NObjGuD7HnYA1e8APTAT3lMO4FO1ETjtm3AFbkq7KEkx73cSUs xCzon+nNy1+M2SM0di59ACTkV/Y9vWD7KJc1kv94Nj9MBzpAS4qwBaK/qGb+vhNw sXoDO/XEz80Z9T3KyX9r0bineg0LdoW0+JFSqmy+tWD03lybcrNusgJrC5yrQ1S+ GX/27mOUMbWluN/qU0Xk21wgGTKTjC4L9dB91rd5egAtiAlJ0NECWxXkQ5b5bgM2 rgvWD4GXZ0QXCyOWMmJF4vSNvOu691CLDBw9NJWQesqRQuZ8FsbtCBxuDzJHzAe5 kEGGmeIHg/gHJETpO2UyMrQZE9qXWwAwePRl7aKVskETddJT6naPqWj3DhsTAtRS MUbCK2CKgVE= =9D44 -----END PGP SIGNATURE----- Accepted: tremulous-doc_1.1.0-7~squeeze1_all.deb to contrib/t/tremulous/tremulous-doc_1.1.0-7~squeeze1_all.deb tremulous-server_1.1.0-7~squeeze1_i386.deb to contrib/t/tremulous/tremulous-server_1.1.0-7~squeeze1_i386.deb tremulous_1.1.0-7~squeeze1.debian.tar.gz to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.debian.tar.gz tremulous_1.1.0-7~squeeze1.dsc to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1.dsc tremulous_1.1.0-7~squeeze1_i386.deb to contrib/t/tremulous/tremulous_1.1.0-7~squeeze1_i386.deb
