Robert Duffy's .plan update:
We have just released a new point release for Quake 3 Arena, version 1.17.
This patch fixes a fairly serious security flaw in Quake 3 Arena. Internet
Security Systems identified the flaw and notified us with reproduction
details as well as an overview of the exploit. The basic nature of the
exploit is that malicious server operators could overwrite any file on a
client system. This type of thing is always possible with DLL based mods
( which is why we strongly recommend VM based mods ) but with this exploit,
it was possible within the VM system.
To help facilitate a rapid transition to the new codebase we have also
bumped the network protocol version. This means 1.17 is not network
compatibile with any prior version.
The install also includes all 3 PK3 files, because the original "pak1.pk3"
was not included in the final 1.16 release for Mac and Win32 builds. This
will address some pure server connection issues. You will have to have all 3
pak files present to connect to a pure server.
In addition to this security fix, we have also fixed the following:
- Callvote to single player game type causes the server to crash.
- Crash in bot initialization on some systems.
If you're having problems with the release you can check Loki's Q3A newsgroup