retitle 665656 openarena-server: [CVE-2010-5077] traffic amplification via getstatus requests retitle 665842 tremulous: [CVE-2010-5077] traffic amplification via getstatus requests thanks
On 26/03/12 11:23, Simon McVittie wrote: > It has been discovered that spoofed "getstatus" UDP requests are being > used by attackers[0][1][2][3] to direct status responses from multiple > Quake 3-based servers to a victim, as a traffic amplification mechanism > for a denial of service attack on that victim. > > Open-source games derived from the Quake 3 engine are typically based on > ioquake3 [4], a popular fork of that engine. This vulnerability was > fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a > rate-limit to the getstatus request. Like several other known and fixed > vulnerabilities, it is not fixed in the latest official ioquake3 release > (1.36, April 2009). > > If a CVE ID is allocated for this vulnerability, please reference > ioquake3 r1762 prominently in any advisory. CVE-2010-5077 has now been allocated for this. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
