Bug#406400: nexuiz: Open security fixes in Etch
Cyril Brulebois
cyril.brulebois at enst-bretagne.fr
Thu Jan 11 05:35:25 CET 2007
Moritz Muehlenhoff <jmm at debian.org> (10/01/2007):
> I'm currently busy and hadn't had the time to investigate it myself
> yet, but it should be tracked for Etch:
> - fixed fake players DoS (CVE-2006-6609)
> - fixed clientcommands remote console command injection (CVE-2006-6610)
>
> If the second vulnerability refers to shell command execution and not
> to some kind of in-game-console ala Quake this warrants an RC security
> bug.
By googling on the CVE IDs, I found a site[1] stating that it is about
shell command execution:
``A remote attacker could exploit this vulnerability to execute
arbitrary commands on the system.''
1. http://xforce.iss.net/xforce/xfdb/30875
Since 2.2.1-1 has been in sid for 26 days, I was wondering whether
pushing this version into etch would an acceptable fix.
Cheers,
--
Cyril Brulebois
PS: Sorry for the delay. I asked this on #d-s just after having talked a
bit with Bruno when we got your bugreport, and was waiting a bit for
an answer out there.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20070111/dc45d5f5/attachment.pgp
More information about the Pkg-games-devel
mailing list