iortcw (1.50a+dfsg1-3+deb9u1) stretch-security; urgency=medium

  * d/p/security/All-Fix-improve-buffer-overflow-in-MSG_ReadBits-MSG_Write.patch:
    Add patch (from ioquake3 via upstream) to fix a read buffer overflow
    in MSG_ReadBits (CVE-2017-11721)

 -- Simon McVittie <smcv@debian.org>  Tue, 08 Aug 2017 14:57:52 -0400

iortcw (1.50a+dfsg1-3) unstable; urgency=high

  * d/gbp.conf: switch branch to debian/stretch for updates during freeze
  * d/patches: Add patches from upstream fixing security vulnerabilities
    - refuse to load potentially auto-downloadable .pk3 files as
      iortcw renderers, iortcw game code, libcurl, or OpenAL drivers
      (mitigation: auto-downloading is off by default, and in Debian
      we do not dlopen libcurl anyway)
    - refuse to load default configuration file names from a .pk3 file
    - protect cl_renderer, cl_curllib, s_aldriver configuration variables so
      game code cannot set them
    - refuse to overwrite files other than *.txt with the dump console
      command
    - refuse to overwrite files other than *.cfg with the writeconfig
      console command
    (Closes: #857714)

 -- Simon McVittie <smcv@debian.org>  Tue, 14 Mar 2017 09:37:19 +0000

iortcw (1.50a+dfsg1-2) unstable; urgency=medium

  * Drop unused libspeexdsp-dev build-dependency
    (VoIP is now done using the Opus codec)
  * debian/watch: strip +dfsg1 suffix when comparing versions even if
    working from a release and not a datestamped snapshot
  * debian/apparmor.d: allow more forms of device enumeration

 -- Simon McVittie <smcv@debian.org>  Sat, 21 Jan 2017 20:25:48 +0000

iortcw (1.50a+dfsg1-1) unstable; urgency=medium

  * New upstream release 1.5a, represented as 1.50a here to make it
    sort in the intended order
    - drop patches that were merged upstream
    - debian/copyright: update
  * d/p/Don-t-require-.git-index-to-exist.patch: Fix FTBFS when
    .git/index doesn't exist

 -- Simon McVittie <smcv@debian.org>  Sun, 20 Nov 2016 22:27:56 +0000

iortcw (1.42d+dfsg1-5) unstable; urgency=medium

  * Fix date(1) syntax when using SOURCE_DATE_EPOCH
  * Mark patches as applied upstream or Debian-specific, as
    appropriate
  * Always do a "release" build. Override OPTIMIZE to empty instead of
    using upstream's "debug" build for noopt.
  * Use upstream's copyfiles (install) target instead of reimplementing it
  * Write generated scripts directly into debian/tmp/usr/games
  * Add missing dependency on lsb-base, detected by lintian
  * Sync AppArmor profile with ioquake3

 -- Simon McVittie <smcv@debian.org>  Sat, 05 Nov 2016 22:36:05 +0000

iortcw (1.42d+dfsg1-4) unstable; urgency=medium

  * Normalize packaging via wrap-and-sort -abst
  * debian/gbp.conf: use DEP-14 branch names debian/master, upstream/latest
  * Remove rtcw-dbg binary package and rely on automatic dbgsym packages
  * debian/rules: improve get-orig-source target
  * Bump debhelper compat level to 10
    - don't explicitly use dh-systemd, it is now integrated
    - don't explicitly do a parallel build, it is the default
  * debian/rules: align with ioquake3's (cosmetic changes only)

 -- Simon McVittie <smcv@debian.org>  Wed, 21 Sep 2016 20:10:00 +0100

iortcw (1.42d+dfsg1-3) unstable; urgency=medium

  * Standards-Version: 3.9.8 (no changes required)
  * d/rules: remove misleading leftover comment
  * Upload to unstable

 -- Simon McVittie <smcv@debian.org>  Sun, 17 Jul 2016 20:25:40 +0100

iortcw (1.42d+dfsg1-2) experimental; urgency=medium

  * apparmor: add a child profile for the "safe mode" popups (tested
    with xmessage and zenity - kdialog will probably need more rules)
  * apparmor: don't try to run dh_apparmor on non-Linux ports
  * apparmor: #include the local snippets created by dh_apparmor
  * Add patch to replace __DATE__ with $SOURCE_DATE_EPOCH if set;
    that variable is set automatically by recent debhelper
  * Add Documentation key to the systemd services
  * Add a patch fixing some spelling mistakes in user-visible messages
    (but not "persistant", which is unfortunately part of the API)
  * Enable full compiler hardening

 -- Simon McVittie <smcv@debian.org>  Mon, 21 Mar 2016 09:39:40 +0000

iortcw (1.42d+dfsg1-1) experimental; urgency=medium

  * New upstream release
    - Please note that this upstream release changes the location of game
      files from ~/.iortcw to ~/.wolf.
    - debian/copyright: update
    - debian/rules: update get-orig-source
  * debian/scripts/rtcw.in: use ~/.wolf even in non-release snapshots that
    would normally use ~/.iortcw, for consistency
  * Add a patch to force the "autoupdate" mechanism to be disabled.
    This was off by default anyway, but if enabled, it would download and
    execute arbitrary code from Activision servers without authentication.
  * Switch Vcs-Git to https (see #810378)
  * Standards-Version: 3.9.7 (no changes needed)
  * Add experimental AppArmor profiles to protect the client and server,
    both in "complain" mode for now

 -- Simon McVittie <smcv@debian.org>  Tue, 08 Mar 2016 08:00:37 +0000

iortcw (1.42b+20151119+dfsg1-1) experimental; urgency=medium

  * New upstream snapshot
    - build-depend on Freetype which is now enabled by default upstream
    - enable the new ARMv7 JIT on armhf, forcibly disable it elsewhere
      (avoiding uname)
    - debian/copyright: update
  * debian/rules: maintainer-get-orig-source: put the tarball in
    ../build-area

 -- Simon McVittie <smcv@debian.org>  Sat, 21 Nov 2015 23:11:58 +0000

iortcw (1.42b+20150930+dfsg1-1) experimental; urgency=low

  * New package for Return to Castle Wolfenstein (Closes: #773742)
    - game-data-packager (>= 40) can package the required non-free data
  * Packaging based on ioquake3
  * Initial Debian changes, similar to ioquake3:
    - exclude non-Free lcc compiler (licensed for non-commercial use only)
    - exclude {MP,SP}/media: licensing unclear, and not needed
      (game-data-packager downloads and repackages an unofficial content patch
      from iortcw at the same time it downloads the official patch)
    - exclude Free third-party libraries too, to simplify license compliance,
      and use system copies of those libraries instead:
      cURL, Freetype, libjpeg, libogg, OpenAL, libopus, SDL2, libvorbis, zlib
    - run in a window by default per Games Team policy
    - disable auto-downloading by default since it is a security risk
    - reinstate checks for executable file overwriting and remove code to
      unpack arbitrary native code from (potentially auto-downloaded)
      game mods, fixing vulnerabilities similar to CVE-2011-3012 but
      breaking some mods as an unfortunate but unavoidable side-effect

 -- Simon McVittie <smcv@debian.org>  Mon, 05 Oct 2015 00:17:58 +0100
