Hello, Just to notify you that you shouldn't care about OpenArena anyway because it's in the process of upgrading to the latest ioquake3 releases and maintaining that state using GitHub (the engine is already ported, the gamecode is in the process).
Regards, Stephen Larroque Le 27 mars 2012 12:29, Simon McVittie <[email protected]> a écrit : > On 27/03/12 08:01, Ludwig Nussel wrote: > > JFYI, CVE-2010-5077 was assigned to commit 1762 (DDoS mitiation) > > http://icculus.org/pipermail/quake3-commits/2010-January/001679.html > > http://www.openwall.com/lists/oss-security/2012/03/26/2 > > http://www.openwall.com/lists/oss-security/2012/03/26/5 > > It seems that backporting only r1762 isn't such a great idea, since > there's a regression (fixed in r1898) - after 2**32 milliseconds (about > 50 days), Sys_Milliseconds() wraps around and the rate-limiting code > drops all getstatus requests. > > r1762 also has some potentially-uninitialized variables (fixed in r1763) > although I'm not sure that they can actually be uninitialized in > practice, since that would require the address family to be neither IPv4 > nor IPv6. > > Finally, if backporting to something based on a particularly old version > of ioquake3 (Tremulous 1.1.0, I'm looking at you...), beware that the > rate-limiting code assumes that NA_BAD == 0 (it zero-fills a hash table > bucket with Com_Memset(), then checks against NA_BAD). This is fine for, > say, OpenArena 0.8.5, but when backporting to something older than r1566 > you might need to change it to check for 0. > > Is there anything else I should be aware of when backporting? > > (Before anyone suggests it, no, in this context I can't just update to a > current version; in a stable release I need to use targeted patches.) > > S > _______________________________________________ > ioquake3 mailing list > [email protected] > http://lists.ioquake.org/listinfo.cgi/ioquake3-ioquake.org > By sending this message I agree to love ioquake3 and libsdl. >
_______________________________________________ ioquake3 mailing list [email protected] http://lists.ioquake.org/listinfo.cgi/ioquake3-ioquake.org By sending this message I agree to love ioquake3 and libsdl.
