ioquake3 upstream announced having fixed a big security vulnerability: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/ They advise to update to their latest test build... I asked upstream if they should not consider making a release instead if they've come down to disencourage using their stable release... http://discourse.ioquake.org/t/important-security-update-please-update-ioquake3-immediately/832/3?u=akien Otherwise the fix is quite simple so should be cherry-pickable if we don't want to update to their git master as they seem to advise: https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
Whiteboard: (none) => MGA5TOO
Component: RPM Packages => Security
Debian has issued an advisory for this on March 18: https://www.debian.org/security/2017/dsa-3812
Summary: ioquake3 new security vulnerability => ioquake3 new security vulnerability (CVE-2017-6903)QA Contact: (none) => security
It looks like Rémi fixed this in Cauldron in 1.36-12.20170428.1.mga6. Mageia 5 still has yet to be addressed.
Version: Cauldron => 5CC: (none) => luigiwalserWhiteboard: MGA5TOO => (none)
Indeed, I forgot about Mageia 5. I'll push the same update there.
Ping Rémi.
Sorry for the delay, when I looked into it it was more complex than I thought. Just rebasing the Mageia 5 on Cauldron means breaking compatibility to some extent, and the code being patched is quite different is the super old ioquake3 version of Mageia 5.
can't we update ioquake3 and extents ?
CC: (none) => mageia
Depends on: (none) => 21580
Guessing that we don't intend to update this at this point. Closing.
Resolution: (none) => OLDStatus: NEW => RESOLVED