Full disclosure happens AFTER fixes are released.
As has already been said, there are patches pending release for numerous
other engine branches.
While the ship is halfway to sea given that a patch has released for at
least one engine, It would be irresponsible to expose the several thousand
game servers on the other mainline branches to attack.
~~~~~
"Their heads are green, and their hands are blue,
And they went to sea in a Sieve." - Edward Lear
On Thu, Feb 4, 2016 at 10:54 AM, Saint K. <sai...@specialattack.net> wrote:
> Hi,
>
>
>
> I have to agree with the user below. In the field of security it’s
> absolutely necessary to disclose full detail of said issue so other people
> can verify if they have been compromised or not.
>
>
>
> If we don’t know any of the details we neither know what to look for.
>
>
>
> Running the servers with least privilege is the absolute minimum you
> should do. But as you are probably aware, most systems that get compromised
> have been hacked through a whole series of weaknesses. One exploit could
> open up a way to execute other exploits, etc.
>
>
>
> Regards,
>
>
>
> Saint K.
>
>
>
> *From:* hlds-boun...@list.valvesoftware.com [mailto:
> hlds-boun...@list.valvesoftware.com] *On Behalf Of *Hasser Css
> *Sent:* Wednesday, February 03, 2016 11:01 PM
> *To:* Half-Life dedicated Win32 server mailing list <
> hlds@list.valvesoftware.com>
> *Subject:* Re: [hlds] Mandatory Team Fortress 2 update released
>
>
>
> Thanks for being one of the few Valve people who give any kind of
> communication, but that is a pretty bad explanation.
>
>
>
> One can say it is unlikely that people have been exploited because it was
> disclosed privately and such... but that is not a good security mindset.
> What exactly is the harm in saying the scope of the vulnerability,
> especially now that it is fixed? :/
>
>
>
> On Wed, Feb 3, 2016 at 7:29 PM, John Schoenick <jo...@valvesoftware.com>
> wrote:
>
> The issue in question was discovered and reported to us privately, so we
> don't expect any action should be necessary for up-to-date servers.
>
> It is always, of course, a good idea to ensure you are running servers
> with the least necessary privilege to limit the scope of any
> vulnerabilities future or present.
>
> - John
>
>
>
> On 02/02/2016 02:55 PM, Emil Larsson wrote:
>
> What was this security issue exactly? Any concerns for us server owners
> for previously leaked rcon passwords? Or files being uploaded that aren't
> sprays?
>
> Den 2 feb 2016 23:26 skrev "Eric Smith" <er...@valvesoftware.com>:
>
> We've released a mandatory update for TF2. The update notes are below. The
> new version is 3271684.
>
> -Eric
>
> -------------------------------
>
> - Fixed a security issue related to the file system (thanks to Simon
> Pinfold for this report)
> - Fixed a client crash related to the material system
> - Fixed a crash when using medium or low texture quality on maps with
> static prop lighting
> - Fixed not seeing team names when using custom scoreboards
> - Fixed leaderboards occasionally not displaying when changing map
> - Improved bspzip tool stability when packing maps with large amounts of
> custom assets
> - Updated the contents of the Gargoyle Case, the Fall 2013 Acorns Crate,
> the Love And War Cosmetics Bundle, the Mann Co. Strongbox, and the Mann Co.
> Stockpile Crate
> - Updated the model/materials for the Crusader's Getup and Arthropod's
> Aspect
> - Updated The HazMat Headcase so it can be equipped by the Sniper
> - Updated The Mustachioed Mann so it can be equipped by all classes and
> added a second style
> - Updated The Special Eyes so it can be equipped by the Pyro and added a
> second style
> - Updated The Frenchman's Formals to hide the Scout's dog-tags
> - Updated the equip_region for the Cheater's Lament and added a new style
> - Updated the Backburner to add the pilot light
> - Updated the Rainblower to remove the pilot light
> - Updated several materials to fix issues caused by mat_picmip
> - Updated the localization files
> - Updated pl_borneo
> - Fixed an exploit where players could get outside the map
> - Updated ctf_landfall
> - Fixed some material issues
> - Updated cp_vanguard
> - Added new path to the last point
> - New geometry to reduce sightlines on the middle point
> - Reorganized spawn points to better exit final spawns
> - Fixed Red forward spawn door blocking when held open
> - Fixed some material issues
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
>
> _______________________________________________
>
> To unsubscribe, edit your list preferences, or view the list archives, please
> visit:
>
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
>
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
>
>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
