Your message dated Tue, 27 Mar 2012 19:32:10 +0000
with message-id <e1scc7m-00055i...@franck.debian.org>
and subject line Bug#665656: fixed in openarena 0.8.5-5+squeeze2
has caused the Debian Bug report #665656,
regarding openarena-server: [CVE-2010-5077] traffic amplification via getstatus
requests
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
665656: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openarena-server
Version: 0.8.5-5+squeeze1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
a few hours ago my openarena server was used for a distributed
reflected denial of service attack. I noticed unusual high outgoing
traffic on port 27960 (3MB/s) which was directed mainly towards
webservers in the beginning. The only solution was to shut down the
openarena-server or to create a new firewall rule.
After some investigation into the problem i discovered that it is well
known with Quake3 based engines. See [1], [2] and [3]
My server received many getstatus requests in a short amount of time
which were presumably faked by the real attacker.
The problem has also been discussed on the ioquake3 mailing list. [4]
One of the participants pointed out that a patch was introduced in 2010
which limits the rate of getstatus requests.[5] It might be a
potentially fix or at least mitigation for the attack.
I hope i could explain my problem understandably. That's all the
information i could gather so far.
An alternative way for preventing the DRDoS attack with iptables is described
in [6].
[1] http://openarena.ws/board/index.php?topic=4391.0
[2] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
[3] http://www.urbanterror.info/forums/topic/27825-drdos/
[4]
http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
[5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
[6] http://www.altfire.com/main/news/index.php?news_id=586
Sincerely
Markus
-- System Information:
Debian Release: 6.0.4
APT prefers stable
APT policy: (990, 'stable'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.17 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openarena-server depends on:
ii libc6 2.11.3-2 Embedded GNU C Library: Shared lib
ii openarena-data 0.8.5-3 OpenArena game data
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
openarena-server recommends no packages.
openarena-server suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: openarena
Source-Version: 0.8.5-5+squeeze2
We believe that the bug you reported is fixed in the latest version of
openarena, which is due to be installed in the Debian FTP archive:
openarena-server_0.8.5-5+squeeze2_i386.deb
to main/o/openarena/openarena-server_0.8.5-5+squeeze2_i386.deb
openarena_0.8.5-5+squeeze2.debian.tar.gz
to main/o/openarena/openarena_0.8.5-5+squeeze2.debian.tar.gz
openarena_0.8.5-5+squeeze2.dsc
to main/o/openarena/openarena_0.8.5-5+squeeze2.dsc
openarena_0.8.5-5+squeeze2_i386.deb
to main/o/openarena/openarena_0.8.5-5+squeeze2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 665...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated openarena package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 25 Mar 2012 19:34:53 +0100
Source: openarena
Binary: openarena openarena-server
Architecture: source i386
Version: 0.8.5-5+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
openarena - fast-paced 3D first-person shooter
openarena-server - server and game logic for the game OpenArena
Closes: 665656
Changes:
openarena (0.8.5-5+squeeze2) stable-security; urgency=low
.
* Apply ioquake3 r1762 to rate-limit getstatus and rcon connectionless
packets, to avoid their use for traffic amplification. (Closes: #665656)
Checksums-Sha1:
7046d95c04526b472ff0608dc3293110d4167664 2099 openarena_0.8.5-5+squeeze2.dsc
00f4cb42f3548d3a8af0e8fe5c69da5263fd4e88 2653889 openarena_0.8.5.orig.tar.bz2
ca15b82b2633c8ec5c9f096d8f871b5bea474d31 247425
openarena_0.8.5-5+squeeze2.debian.tar.gz
18415db20d382dc9b4d1ac538e96e124a2a4a366 744262
openarena_0.8.5-5+squeeze2_i386.deb
b04914f7cc179f37f5bd851ebc70145e645b42c6 2312412
openarena-server_0.8.5-5+squeeze2_i386.deb
Checksums-Sha256:
eb80b2220f6318ce34e99ae4786e0ac3d190e22c97cc5113713714e2054f70d2 2099
openarena_0.8.5-5+squeeze2.dsc
3e9ccd58f1a95d4a103f4729ed6a6c88174503cfea1b4c13bf723ec8916a17e5 2653889
openarena_0.8.5.orig.tar.bz2
ef7fdfb30628b30588e4b14d0a868cfdd61a2422b2799c09756ceccfc8eb4d73 247425
openarena_0.8.5-5+squeeze2.debian.tar.gz
6b83ca2463f2976e7e0c6d44273507321c1af9e87cce519c83b9a6cd339ef7e1 744262
openarena_0.8.5-5+squeeze2_i386.deb
f98591de8eed66352b45d92034c75500991294faabe4fa026c168993a205bda7 2312412
openarena-server_0.8.5-5+squeeze2_i386.deb
Files:
689473cd2be80adcfbabcf1ec32d208d 2099 games optional
openarena_0.8.5-5+squeeze2.dsc
04881c50a17e0ee3ffdbb9416e8f1259 2653889 games optional
openarena_0.8.5.orig.tar.bz2
20529074fe6dd924a18eb82aafffaa53 247425 games optional
openarena_0.8.5-5+squeeze2.debian.tar.gz
e0a622957f15c98f5de65333505bb767 744262 games optional
openarena_0.8.5-5+squeeze2_i386.deb
02885dc243f013fde743d1454bc00a00 2312412 games optional
openarena-server_0.8.5-5+squeeze2_i386.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBT3AxJ03o/ypjx8yQAQhqaxAAghqHg3dr9Q7VGxxXqta14Vcsq6jTs9W6
tijevfFJrK6k0SPwemb5yisscMxKf0WciiRt+YkNH7YuU5bT9BetH5DYgXnIssDl
r5EChQPs2qB3a33/0KINmhRqGdQX867p+p60M2DtuYXs0QdSc/4GAMjztlYaz2s6
yXEknwrmms+4z3sVhE+mdAkYeE9xTRVyRoCMTcKEcd8naooHYhD9ejJsGXKG2q97
gOkDZambC3XnTD4fWb01ii+C9HDG+t18x9zvlp/kWDdCvjG/xIZLBFgyUJ5fwALT
Nu8u6XyE8QZjEIXqt61Naye6keqRfWsKnLd2tI+mnirG387+k9Ou9o1JmhYmuLv8
aim8R7R/szmGXvdcIZxSGT9gIu4Inz6qXxoBqrYnzSWlydCAI2utNzSxcu+1wKch
iWNr3tjvzrNUhcIhS4EThWSD4rX+oyKRzmXXuIS45MRuRRHZ+Ep2/OtkA9tv36Qe
Fohrjwqinq/mrp3FVmeVKAY52rP06GYulKT0JuKAiPfG/w4AHl5JafJT74yQMSlx
MeTwxkuSfL1ueQ3SL0vto5uOQ/R8WaTYbceE7IlFx3g5TvxlQ0uh/hRxUrUNfaBP
TM5P0heCahxr7fhZZTTtTwwaxPHFNNpMSTR4KstWKMThcbkXXPevfQc1A3tVbTpy
mA2g9JI+ExA=
=25RM
-----END PGP SIGNATURE-----
--- End Message ---
