Adding 4563 because if the package isn't updated when upgrading from mdv -> mga1 -> mga2, they won't get subsequent security updates from us for this package until this is fixed.

Depends on: (none) => 4563

5041 is now fixed in Cauldron.

Depends on: 5041 => (none)

5141 is now fixed in Cauldron.

Depends on: 5141 => (none)

5169 is now fixed in Cauldron.

Depends on: 5169 => (none)

5203 is now fixed in Cauldron.

Depends on: 5203 => (none)

5208 is now fixed in Cauldron.

Depends on: 5208 => (none)

5108 is now fixed in Cauldron.

Depends on: 5108 => (none)

5255 is now fixed in Cauldron.

Depends on: 5255 => (none)

4563 is now fixed in Cauldron.

Depends on: 4563 => (none)

5063 is now fixed in Cauldron.

Depends on: 5063 => (none)

5261 is now fixed in Cauldron.

Depends on: 5261 => (none)

5459 is now fixed in Cauldron.

Depends on: 5459 => (none)

5432 is now fixed in Cauldron.

Depends on: 5432 => (none)

3099 is now fixed in Cauldron.

Depends on: 3099 => (none)

5458 is now fixed in Cauldron.

Depends on: 5458 => (none)

3101 is not a mageia 2 release blocker bug, it only affect mageia 1.

CC: (none) => guillomovitch
Depends on: 3101 => (none)

According to maintainer comment, 5496 is also specific to mageia 1.

Depends on: 5496 => (none)

(In reply to comment #17)
> According to maintainer comment, 5496 is also specific to mageia 1.

That has not been verified for all of the affected games, only tremulous.

Depends on: (none) => 5496

(In reply to comment #18)
> (In reply to comment #17)
> > According to maintainer comment, 5496 is also specific to mageia 1.
> 
> That has not been verified for all of the affected games, only tremulous.

That's not what I said. We have the same version of ioquake3 from Fedora, I based the current cauldron ioquake3 package on Fedora's quake3 package. Our version includes the same svn version and the same patches as Fedora. So games like ioquake3, urban terror, world of padman and smokin' guns aren't affected (trusting on Fedora's testing of the fixed ioquake3 source).

CC: (none) => juan.baptiste

(In reply to comment #19)
> We have the same version of ioquake3 from Fedora, I
> based the current cauldron ioquake3 package on Fedora's quake3 package. Our
> version includes the same svn version and the same patches as Fedora. So games
> like ioquake3, urban terror, world of padman and smokin' guns aren't affected
> (trusting on Fedora's testing of the fixed ioquake3 source).

What about openarena?

Althought openarena uses the ioquake3 engine, our openarena's package doesn't use this ioquake3 package and includes it's own copy of the engine, so openarena needs to be checked against this bug.


The games that aren't affected in mga 2 because they use the patched version from Fedora are:

- ioquake3
- Urban Terror
- World of Padman
- Smokin' Guns

There's also Turtle Arena, which is also based on a ioquake3 engine fork, so it maybe can be affected by this. I will contact the author and ask him about this.

There are more security issues with the Quake 3 engine that are not fixed in the Mageia 2 packages.  Adding Bug 5496 back to the tracker.

Depends on: (none) => 5496

5701 is now fixed in Cauldron.

Depends on: 5701 => (none)

5699 is now fixed in Cauldron.

Depends on: 5699 => (none)

5714 is now fixed in Cauldron.

Depends on: 5714 => (none)

(In reply to comment #25)
> 5714 is now fixed in Cauldron.

Not yet.  It was submitted, but the build failed.

Depends on: (none) => 5714

Linking in 5063 for the newly announced major PHP security issues, see:
https://bugs.mageia.org/show_bug.cgi?id=5063#c18

It allows remote code execution and all kinds of other problems, and it has publicly available exploits, including a metasploit module.

A fix is supposed to be available from upstream soon, we really should try to get it in.

Depends on: (none) => 5063

Closing now this tracker as Mageia 2 final release  is very near now

really closing

Status: NEW => RESOLVED
Resolution: (none) => FIXED