Gerfried Fuchs uploaded new packages for wesnoth which fixed the following security problems: CVE-2009-0367 The implementation of the sandbox for the python AIs was possible to circumvent, allowing it to execute arbitrary python code on the client's machine. Please note that the official servers never had such malicious code and were patched to not accept any python code anymore. CVE-2009-0366 Through the gzip compression it was possible to send a rather small compressed map to a server which expanded it in memory, resulting in memory exhaustion and possible crash. For the etch-backports distribution the problems have been fixed in version 1:1.4.4-2+lenny1~bpo40+1. For the lenny-backports distribution the problems have been fixed in version 1:1.4.7-4~bpo50+1. For the sid distribution the problems have been fixed in version 1:1.4.7-4. Please note that squeeze, the current testing distribution, does not receive security updates in a timely manner, see the announcement mail from the testing security team: <http://lists.debian.org/debian-testing-security-announce/2008/12/msg00019.html> Upgrade instructions -------------------- If you don't use pinning (see [1]) you have to update the packages manually via "apt-get -t etch-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.org/dokuwiki/doku.php?id=instructions> We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically: Package: * Pin: release a=etch-backports Pin-Priority: 200
Attachment:
signature.asc
Description: Digital signature