Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 13 Jan 2012 13:58:05 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request for OpenTTD - use CVE-2012-0049!

On 01/13/2012 01:56 PM, Kurt Seifried wrote:
> On 01/09/2012 11:48 AM, Kurt Seifried wrote:
>> On 01/07/2012 08:13 AM, Rubidium wrote:
>>> Hi folks,
>>>
>>> we, the OpenTTD developers, have identified a security vulnerability in
>>> OpenTTD (an open source game with multiplayer). Would you be so kind
>>> as to allocate a CVE id for this issue?
>>>
>>> The issue concerns a denial of service vulnerability in the form of a
>>> slow read attack preventing anyone to join the server, and preventing
>>> the continuation of a game when 'pause on join' is enabled. This
>>> attack requires the attacker to be authorized, but most servers do not
>>> implement authorization. The first vulnerable version is 0.3.5, the
>>> upcoming 1.1.5 release will have the issue fixed.
>>>
>>> Once a CVE id is allocated, the issue and fix will be documented at
>>> http://security.openttd.org/CVE-2012-xxxx
>>>
>>> Thanks in advance,
>>> Remko 'Rubidium' Bijker
>>>
>>> (Please CC me, I'm not subscribed)
>> Need more information like a code commit to link to.
>>
>> -- Kurt Seifried / Red Hat Security Response Team
> Rubidium replied to me offlist:
>
> http://vcs.openttd.org/svn/changeset/23764
>
> Please use CVE-2012-0048 for this issue.
>
>
>
Augh typo, that should have been CVE-2012-0049!

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ