> Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue.
I am not an Ubuntu user (I reported this bug after fixing these vulnerabilities in Debian, to be helpful to our downstream distribution), so I'm afraid I'm not going to take on Ubuntu package maintenance. I asked for a new maintainer for Tremulous in Debian, and nobody volunteered, so I have now arranged for Tremulous to be removed from Debian testing/unstable. As a result, it will not be in Debian 7.0, unless someone re-uploads it within the next 2-4 weeks and takes responsibility for it. If nobody from the Ubuntu community intends to take responsibility for securing the Tremulous packages, I would recommend removing these packages from Ubuntu as well. -- You received this bug notification because you are a member of Debian/Ubuntu Games Team, which is subscribed to tremulous in Ubuntu. https://bugs.launchpad.net/bugs/970819 Title: multiple security vulnerabilities Status in “tremulous” package in Ubuntu: Confirmed Bug description: Please consider syncing tremulous/1.1.0-8 from Debian unstable into all supported Ubuntu versions. It fixes: - CVE-2006-2082: arbitrary file download from server by a malicious client (Closes: #660831) - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on COM_StripExtension, exploitable in clients of a malicious server (Closes: #660827) - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a malicious server (Closes: #660830) - CVE-2006-3324: arbitrary file overwriting in clients of a malicious server (Closes: #660832) - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary code execution) in clients of a malicious server (Closes: #660834) - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary code execution) in clients of a malicious server if auto-downloading is enabled (Closes: #660836) - a potential buffer overflow in error handling (not known to be exploitable, but it can't hurt) - non-literal format strings (again, none are known to be exploitable) - CVE-2010-5077, use of Tremulous servers by third parties to perform reflected DoS attacks It also disables auto-downloading to mitigate any future security vulnerabilities. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tremulous/+bug/970819/+subscriptions _______________________________________________ Pkg-games-ubuntu mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-games-ubuntu
