Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib)

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Thu, 2012-03-08 at 14:12 +0000, Simon McVittie wrote:
> Tremulous 1.1.0-7 (contrib) is believed to fix CVE-2006-2082, CVE-2006-2236,
> CVE-2006-2875, CVE-2006-3324, CVE-2006-3325, CVE-2011-3012, CVE-2011-2764.
> The Security Team have indicated that they do not issue DSAs for contrib
> packages.
> 
> I propose to use a package functionally identical to 1.1.0-7 (differing
> only in its changelog and target distribution) as the stable update;
> I've avoided making any changes not targeted as a security update.

Thanks for working on fixing this in stable, and sorry for the slight
delay in getting back to you.

>   * As a precaution, disable auto-downloading

Specifically, this not only disables auto-downloading but prevents users
from turning it back on should they so wish.  I assume the logic here is
that there may still be security issues lurking which involve untrusted
content and just haven't been found yet?

Regards,

Adam