Moritz Muehlenhoff <[EMAIL PROTECTED]> (10/01/2007): > I'm currently busy and hadn't had the time to investigate it myself > yet, but it should be tracked for Etch: > - fixed fake players DoS (CVE-2006-6609) > - fixed clientcommands remote console command injection (CVE-2006-6610) > > If the second vulnerability refers to shell command execution and not > to some kind of in-game-console ala Quake this warrants an RC security > bug.
By googling on the CVE IDs, I found a site[1] stating that it is about shell command execution: ``A remote attacker could exploit this vulnerability to execute arbitrary commands on the system.'' 1. http://xforce.iss.net/xforce/xfdb/30875 Since 2.2.1-1 has been in sid for 26 days, I was wondering whether pushing this version into etch would an acceptable fix. Cheers, -- Cyril Brulebois PS: Sorry for the delay. I asked this on #d-s just after having talked a bit with Bruno when we got your bugreport, and was waiting a bit for an answer out there.
pgpwHSagzxi83.pgp
Description: PGP signature