On Thu, 2012-03-08 at 14:12 +0000, Simon McVittie wrote: > Tremulous 1.1.0-7 (contrib) is believed to fix CVE-2006-2082, CVE-2006-2236, > CVE-2006-2875, CVE-2006-3324, CVE-2006-3325, CVE-2011-3012, CVE-2011-2764. > The Security Team have indicated that they do not issue DSAs for contrib > packages. > > I propose to use a package functionally identical to 1.1.0-7 (differing > only in its changelog and target distribution) as the stable update; > I've avoided making any changes not targeted as a security update.
Thanks for working on fixing this in stable, and sorry for the slight delay in getting back to you. > * As a precaution, disable auto-downloading Specifically, this not only disables auto-downloading but prevents users from turning it back on should they so wish. I assume the logic here is that there may still be security issues lurking which involve untrusted content and just haven't been found yet? Regards, Adam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
