Message info
 
To:Simon McVittie From:Adam D. Barratt Subject:Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib) Date:Sun, 18 Mar 2012 15:58:40 +0000
 

On Thu, 2012-03-08 at 14:12 +0000, Simon McVittie wrote:
> Tremulous 1.1.0-7 (contrib) is believed to fix CVE-2006-2082, CVE-2006-2236,
> CVE-2006-2875, CVE-2006-3324, CVE-2006-3325, CVE-2011-3012, CVE-2011-2764.
> The Security Team have indicated that they do not issue DSAs for contrib
> packages.
>
> I propose to use a package functionally identical to 1.1.0-7 (differing
> only in its changelog and target distribution) as the stable update;
> I've avoided making any changes not targeted as a security update.

Thanks for working on fixing this in stable, and sorry for the slight
delay in getting back to you.

> * As a precaution, disable auto-downloading

Specifically, this not only disables auto-downloading but prevents users
from turning it back on should they so wish. I assume the logic here is
that there may still be security issues lurking which involve untrusted
content and just haven't been found yet?

Regards,

Adam




--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org