tremulous (1.1.0-8~squeeze1) stable; urgency=low

  * Stable update, incorporating a security fix from unstable

 -- Simon McVittie <smcv@debian.org>  Thu, 29 Mar 2012 20:40:49 +0100

tremulous (1.1.0-8) unstable; urgency=medium

  * Backport ioquake3 r1762, r1763, r1898 to rate-limit getstatus and
    rcon connectionless packets, to avoid their use for traffic amplification.
    CVE-2010-5077 (Closes: #665842)
  * Fix an incorrect bug number in revision -6

 -- Simon McVittie <smcv@debian.org>  Tue, 27 Mar 2012 20:33:10 +0100

tremulous (1.1.0-7~squeeze1) stable; urgency=low

  * Stable update (#663104), incorporating security fixes from unstable
  * Fix an incorrect bug number in revision -6

 -- Simon McVittie <smcv@debian.org>  Sun, 25 Mar 2012 13:53:09 +0100

tremulous (1.1.0-7) unstable; urgency=medium

  * Add a lintian override for embedded-library libjpeg (#589407) to avoid
    auto-rejection. It is a valid bug, but is not a regression, and fixing
    several long-standing security vulnerabilities seems more important
    than getting rid of an embedded library that is not known to be
    exploitable.

 -- Simon McVittie <smcv@debian.org>  Wed, 22 Feb 2012 10:00:04 +0000

tremulous (1.1.0-6) unstable; urgency=medium

  * Backport patches from ioquake3 to fix long-standing security bugs:
    - CVE-2006-2082: arbitrary file download from server by a malicious client
      (Closes: #660831)
    - CVE-2006-2236 ("the remapShader exploit"): missing bounds-checking on
      COM_StripExtension, exploitable in clients of a malicious server
      (Closes: #660827)
    - CVE-2006-2875 ("q3cbof"): buffer overflow in CL_ParseDownload by a
      malicious server (Closes: #660830)
    - CVE-2006-3324: arbitrary file overwriting in clients of a malicious
      server (Closes: #660832)
    - CVE-2006-3325: arbitrary cvar overwriting (could lead to arbitrary
      code execution) in clients of a malicious server (Closes: #660834)
    - CVE-2011-3012, CVE-2011-2764: DLL overwriting (leading to arbitrary
      code execution) in clients of a malicious server if auto-downloading
      is enabled (Closes: #660836)
  * As a precaution, disable auto-downloading
  * Backport ioquake3 r1141 to fix a potential buffer overflow in error
    handling (not known to be exploitable, but it can't hurt)
  * Add gcc attributes to all printf- and scanf-like functions, and
    fix non-literal format strings (again, none are known to be exploitable)

 -- Simon McVittie <smcv@debian.org>  Wed, 22 Feb 2012 09:07:37 +0000

tremulous (1.1.0-5) unstable; urgency=low

  * New maintainer - Debian Games Team
  * Set source format to 3.0 (quilt)
  * Separate out patches from previous versions into debian/patches
  * Replace the patch for Bug #382121 with a more complete upstream fix
    from ioquake3 bug 3756, which just uses the OS's memcpy()
  * Apply patch from ioquake3 bug 4331 to fix invalid use of strcpy
    (Closes: #583939)
  * Fix tremulous --help and tremulous-server --help (Closes: #566530)
  * Remove bashisms from those script wrappers (Closes: #530209, #530210)
  * Set dedicated cvar to 1 by default, to not advertise unconfigured servers
    to the master server; use "+set dedicated 2" to advertise your server
    (Closes: 485579)
  * Apply part of upstream r785 to fix disappearing cursor on errors
    (Closes: #473848)
  * Apply part of upstream r756 to fix sorting by ping, and install the
    modified menu to override the one in tremulous-data (Closes: #476621)
  * Disable JIT QVM compiler (which seems to crash on startup) on x86-64,
    falling back to the architecture-neutral QVM interpreter
  * Improve the tremulous-server init script (Closes: #469576):
    - stop the process correctly
    - disable the tremulous-server init script by default - enable it in
      /etc/default/tremulous-server if you want a system-wide instance
    - run tremded under a dedicated user ID, not as nobody (which shouldn't be
      used like this)
    - give that dedicated user ID a home directory, since Tremulous needs one
  * Fix sections in menu and doc-base
  * Add ${misc:Depends}
  * Advance to Debhelper 7 compatibility
  * Fix section of tremulous-doc
  * Fix hyphen/minus confusion in man pages
  * Fail prerm on errors
  * Stop creating empty directories
  * Correct .desktop categories, and remove obsolete Encoding key
  * Standards-Version: 3.9.0
    - state in copyright that the package is not in Debian, due to non-free
      dependency
    - known violation: embedded copy of libjpeg (reported as a bug)

 -- Simon McVittie <smcv@debian.org>  Sat, 17 Jul 2010 15:19:27 +0100

tremulous (1.1.0-4.1) unstable; urgency=low

  * Non-maintainer upload.
  * Fixed bashism in init script (closes: #465373)
  * Fixed watch file (closes: #449754)

 -- Peter Eisentraut <petere@debian.org>  Sat, 05 Apr 2008 01:37:49 +0200

tremulous (1.1.0-4) unstable; urgency=low

  * Fixed tremulous shell script to run from xqf

 -- Damien Laniel <heretik@tuxfamily.org>  Thu, 14 Jun 2007 14:11:02 +0200

tremulous (1.1.0-3) unstable; urgency=low

  * Changed long description to make FPS and RPS more explicit (Closes: #380065)
  * Removed useless cgame$ARCH.so game$ARCH.so and uix86.so in /usr/lib/tremulous
  * Fixed some bash'ism in /usr/games scripts (Closes: #381871)
  * Applied the patch to remove the warning about OP_BLOCK_COPY on ppc (Closes: #382121)
  * Trying to solve build problems on alpha

 -- Damien Laniel <heretik@tuxfamily.org>  Wed, 27 Sep 2006 22:36:16 +0200

tremulous (1.1.0-2) unstable; urgency=low

  * Changed target architecture to any (Closes: #377419)

 -- Damien Laniel <heretik@tuxfamily.org>  Tue,  8 Aug 2006 20:27:07 +0200

tremulous (1.1.0-1) unstable; urgency=low

  * Initial release (Closes: #363581)
  * Made 4 packages : client, server, datas (non-free, different source package) and docs
  * Argued with upstream authors about the data license :
    - The media license exception has been changed to CC-Sa 2.5
    - Datas under CC-Sa 2.5 will become CC 3 when it will be out
    - The tools used to build the qvm files are still non-free but don't need to be included in Debian

 -- Damien Laniel <heretik@tuxfamily.org>  Wed, 19 Apr 2006 21:42:53 +0200
