This ioquake3 vulnerability almost certainly affects OpenArena:
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/Mitigation: turn off auto-downloading.
The openarena package in Debian unstable uses Debian's copy of ioquake3, which I fixed this morning for unstable. The ioquake3 packages in Debian stable and testing will be fixed soon.
For the people who get their binaries directly from openarena.ws instead of from Linux distributions, it would be great if someone could do an OpenArena 0.8.9 (or 0.8.8.1 or whatever) engine release with the various security fixes that have happened since 0.8.
and publish that alongside the rest of the "official" 0.8.8 downloads.
----
Editorial:
Don't use auto-downloading, and don't let your friends use auto-downloading.
Auto-downloading lets malicious server admins send you malware. Auto-downloading also lets malicious people who are not server admins send you malware (one of the OpenJK developers has tried it and reports that it isn't very difficult). The Internet has a lot of malicious people, some of them literally members of organised crime syndicates. I strongly recommend not making yourself an easy target.
While the ioquake3 maintainers are continuing to patch the worst issues, the fundamental problem remains: if auto-downloading is enabled, the idTech3 (Quake 3) engine is downloading executable code (whether in the form of QVM bytecode, or exec'able cfg files, or whatever else) over an authenticated channel, and then running it.
There is currently no way to have auto-downloading for "safe" content (like maps) without also getting auto-downloading for unsafe executable code. I'm working on it (see another topic).