Date: Fri, 13 Jan 2012 13:56:51 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request for OpenTTD On 01/09/2012 11:48 AM, Kurt Seifried wrote: > On 01/07/2012 08:13 AM, Rubidium wrote: >> Hi folks, >> >> we, the OpenTTD developers, have identified a security vulnerability in >> OpenTTD (an open source game with multiplayer). Would you be so kind >> as to allocate a CVE id for this issue? >> >> The issue concerns a denial of service vulnerability in the form of a >> slow read attack preventing anyone to join the server, and preventing >> the continuation of a game when 'pause on join' is enabled. This >> attack requires the attacker to be authorized, but most servers do not >> implement authorization. The first vulnerable version is 0.3.5, the >> upcoming 1.1.5 release will have the issue fixed. >> >> Once a CVE id is allocated, the issue and fix will be documented at >> http://security.openttd.org/CVE-2012-xxxx >> >> Thanks in advance, >> Remko 'Rubidium' Bijker >> >> (Please CC me, I'm not subscribed) > Need more information like a code commit to link to. > > -- Kurt Seifried / Red Hat Security Response Team Rubidium replied to me offlist: http://vcs.openttd.org/svn/changeset/23764 Please use CVE-2012-0048 for this issue. -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ