Package: openarena-server Version: 0.8.5-5+squeeze2 Severity: normal Tags: patch pending
When backporting upstream r1762 for CVE-2010-5077, I didn't also backport r1898, which fixes a regression caused by r1762. I believe the regression is that when the Q3 server clock (a 32-bit number of milliseconds) wraps around, the rate-limiting code drops all getstatus requests. In effect, this will mean that the server becomes unable to report its status after an uptime of about 50 days. (Obviously, I can't have tested this yet, because 50 days haven't elapsed... but the patch looks right, has been upstream for a year, and is in unstable.) I also propose to apply r1763, which initializes some variables that could otherwise be used uninitialized (an uninitialized pointer dereference) if the address family is neither IPv4 nor IPv6. I don't think this can actually happen, but the change is obviously correct and it seems better to be safe. Before fixing either of these, I'll ask ioquake3 upstream whether there are any other known regressions caused by that change. The proposed changes are in the debian-squeeze branch in git. Currently untested, I'll test before upload. http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=shortlog;h=refs/heads/debian-squeeze Would the security team want to do this via the security archive, since it fixes a regression from a security fix, or should I talk to the stable release team? Regards, S -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
