Date: Fri, 13 Jan 2012 13:58:05 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request for OpenTTD - use CVE-2012-0049! On 01/13/2012 01:56 PM, Kurt Seifried wrote: > On 01/09/2012 11:48 AM, Kurt Seifried wrote: >> On 01/07/2012 08:13 AM, Rubidium wrote: >>> Hi folks, >>> >>> we, the OpenTTD developers, have identified a security vulnerability in >>> OpenTTD (an open source game with multiplayer). Would you be so kind >>> as to allocate a CVE id for this issue? >>> >>> The issue concerns a denial of service vulnerability in the form of a >>> slow read attack preventing anyone to join the server, and preventing >>> the continuation of a game when 'pause on join' is enabled. This >>> attack requires the attacker to be authorized, but most servers do not >>> implement authorization. The first vulnerable version is 0.3.5, the >>> upcoming 1.1.5 release will have the issue fixed. >>> >>> Once a CVE id is allocated, the issue and fix will be documented at >>> http://security.openttd.org/CVE-2012-xxxx >>> >>> Thanks in advance, >>> Remko 'Rubidium' Bijker >>> >>> (Please CC me, I'm not subscribed) >> Need more information like a code commit to link to. >> >> -- Kurt Seifried / Red Hat Security Response Team > Rubidium replied to me offlist: > > http://vcs.openttd.org/svn/changeset/23764 > > Please use CVE-2012-0048 for this issue. > > > Augh typo, that should have been CVE-2012-0049! -- -- Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ