Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Jan 2012 13:56:51 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request for OpenTTD

On 01/09/2012 11:48 AM, Kurt Seifried wrote:
> On 01/07/2012 08:13 AM, Rubidium wrote:
>> Hi folks,
>>
>> we, the OpenTTD developers, have identified a security vulnerability in
>> OpenTTD (an open source game with multiplayer). Would you be so kind
>> as to allocate a CVE id for this issue?
>>
>> The issue concerns a denial of service vulnerability in the form of a
>> slow read attack preventing anyone to join the server, and preventing
>> the continuation of a game when 'pause on join' is enabled. This
>> attack requires the attacker to be authorized, but most servers do not
>> implement authorization. The first vulnerable version is 0.3.5, the
>> upcoming 1.1.5 release will have the issue fixed.
>>
>> Once a CVE id is allocated, the issue and fix will be documented at
>> http://security.openttd.org/CVE-2012-xxxx
>>
>> Thanks in advance,
>> Remko 'Rubidium' Bijker
>>
>> (Please CC me, I'm not subscribed)
> Need more information like a code commit to link to.
>
> -- Kurt Seifried / Red Hat Security Response Team
Rubidium replied to me offlist:

http://vcs.openttd.org/svn/changeset/23764

Please use CVE-2012-0048 for this issue.



-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ