Re: CVE request for OpenTTD

[Kurt Seifried <kseifried () redhat com>]

On 01/09/2012 11:48 AM, Kurt Seifried wrote:
> On 01/07/2012 08:13 AM, Rubidium wrote:
> > Hi folks,
> >
> > we, the OpenTTD developers, have identified a security vulnerability in
> > OpenTTD (an open source game with multiplayer). Would you be so kind
> > as to allocate a CVE id for this issue?
> >
> > The issue concerns a denial of service vulnerability in the form of a
> > slow read attack preventing anyone to join the server, and preventing
> > the continuation of a game when 'pause on join' is enabled. This
> > attack requires the attacker to be authorized, but most servers do not
> > implement authorization. The first vulnerable version is 0.3.5, the
> > upcoming 1.1.5 release will have the issue fixed.
> >
> > Once a CVE id is allocated, the issue and fix will be documented at
> > http://security.openttd.org/CVE-2012-xxxx
> >
> > Thanks in advance,
> > Remko 'Rubidium' Bijker
> >
> > (Please CC me, I'm not subscribed)
> Need more information like a code commit to link to.
>
> -- Kurt Seifried / Red Hat Security Response Team
Rubidium replied to me offlist:

http://vcs.openttd.org/svn/changeset/23764

Please use CVE-2012-0048 for this issue.



-- 

-- Kurt Seifried / Red Hat Security Response Team