Your message dated Tue, 27 Mar 2012 21:52:07 +0000
with message-id <e1scejd-0007y5...@franck.debian.org>
and subject line Bug#665842: fixed in tremulous 1.1.0-8
has caused the Debian Bug report #665842,
regarding tremulous: [CVE-2010-5077] traffic amplification via getstatus
requests
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
665842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665842
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tremulous
Version: 1.1.0-5
Severity: serious
Tags: security
Justification: RC in maintainer's opinion, facilitates DoS against others
It has been discovered that spoofed "getstatus" UDP requests are used by
attackers to direct status responses from multiple Quake 3-based servers
to a victim, as a traffic amplification mechanism for a denial of service
attack on that victim. Tremulous 1.1.0 appears to be vulnerable to this.
This was fixed in ioquake3 r1762, and was reported against openarena/squeeze
as Bug #665656. The patch is likely to backport nicely to Tremulous too.
If a CVE ID is allocated for this vulnerability, please reference
ioquake3 r1762 prominently in any advisory.
More details in <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656>,
including a list of affected versions. The short version is that Tremulous
svn is OK, but both current releases (1.1.0 and GPP1) are vulnerable.
S
--- End Message ---
--- Begin Message ---
Source: tremulous
Source-Version: 1.1.0-8
We believe that the bug you reported is fixed in the latest version of
tremulous, which is due to be installed in the Debian FTP archive:
tremulous-doc_1.1.0-8_all.deb
to contrib/t/tremulous/tremulous-doc_1.1.0-8_all.deb
tremulous-server_1.1.0-8_amd64.deb
to contrib/t/tremulous/tremulous-server_1.1.0-8_amd64.deb
tremulous_1.1.0-8.debian.tar.gz
to contrib/t/tremulous/tremulous_1.1.0-8.debian.tar.gz
tremulous_1.1.0-8.dsc
to contrib/t/tremulous/tremulous_1.1.0-8.dsc
tremulous_1.1.0-8_amd64.deb
to contrib/t/tremulous/tremulous_1.1.0-8_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 665...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated tremulous package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 27 Mar 2012 20:33:10 +0100
Source: tremulous
Binary: tremulous tremulous-server tremulous-doc
Architecture: source amd64 all
Version: 1.1.0-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
tremulous - Aliens vs Humans, team based FPS game with elements of an RTS
tremulous-doc - Tremulous documentation
tremulous-server - Tremulous server
Closes: 665842
Changes:
tremulous (1.1.0-8) unstable; urgency=medium
.
* Backport ioquake3 r1762, r1763, r1898 to rate-limit getstatus and
rcon connectionless packets, to avoid their use for traffic amplification.
CVE-2010-5077 (Closes: #665842)
* Fix an incorrect bug number in revision -6
Checksums-Sha1:
6b29db511d7ab47f955b850a24b015cc0d6355eb 1992 tremulous_1.1.0-8.dsc
2d7c4044ebc000c3248dc7c4efa16ff4b975d349 41059 tremulous_1.1.0-8.debian.tar.gz
0cedd159bcef6d755b79ad2df172fa7c1c26d509 840670 tremulous_1.1.0-8_amd64.deb
aa2525db15c9cf3adf02f18f4f47705cd736e153 434686
tremulous-server_1.1.0-8_amd64.deb
19d9edf64951bf1c4d2e2d16e5c544e09017f2e9 646030 tremulous-doc_1.1.0-8_all.deb
Checksums-Sha256:
fe68da6f3c3357ec79daa133bc506a97fb726e9a357e9124ff570f7482d4b247 1992
tremulous_1.1.0-8.dsc
a39629041fd9081b904eb494dee711017f8059c8810c085243c05bdd7ecb382e 41059
tremulous_1.1.0-8.debian.tar.gz
d4c27693c284b054107915e4b6534fc88f032a4c3230c2c6e72db3e0cb2a5c4c 840670
tremulous_1.1.0-8_amd64.deb
2418dd59ff88644d764fdbc816c274a1785f5829372a4793d5b3d8f7118948c4 434686
tremulous-server_1.1.0-8_amd64.deb
07122addc0931a727c39449bfd44b2e29d921274d7bd621df3b85a483b4a74fe 646030
tremulous-doc_1.1.0-8_all.deb
Files:
2d4a56ef9730b1d518277bcf9e698b4b 1992 contrib/games optional
tremulous_1.1.0-8.dsc
b092dd44352095748f2b5abfb536eabc 41059 contrib/games optional
tremulous_1.1.0-8.debian.tar.gz
af3958543076c61c773c7389258a013c 840670 contrib/games optional
tremulous_1.1.0-8_amd64.deb
5ece9019303c84a1ca0b94dac8366609 434686 contrib/games optional
tremulous-server_1.1.0-8_amd64.deb
3ba76835523cf85286ff9658d46be55a 646030 contrib/doc optional
tremulous-doc_1.1.0-8_all.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBT3ImoU3o/ypjx8yQAQgZaQ//TPsU0/GElb1jeV7mNbdOZJxWVelX35p5
zDCZgu4umKs8UDqiT1goO5d9e6lEHGpJ5pOY2IW6auCpnUPIZ3uhnV0KJUEeVK7R
ZkJZVjul1DMQ+30enWHzGkD2SIxX/3MP2OcSFY/IUBIVduzXzGdBp9+bY9Qb1+D5
XOVnbhM9nJyp+TX73MjHTmjQKkl5Pl0oXiCNpDO6RrRpc6b1wBF+UVUQd3IBYLR6
gpj7Yt4XhduXutJXYmTrWXfNwFEHvx4I8dIKrF7mW7tc03BC/96JI0G87+zStjYG
v7a6NCG7kVjIo/L2iliwP2nYFlTuO+KxvG+DP8BgnQIGXaOZVRcSHt/c4pkPmhZH
2Yc8w69F4BB+yUUKTO4T9rKaPBNoBAqzAN5Kfc4ipzvrMdWTfCJneXZ82guDxi+O
4J0BSIGJzd+ByhaIq4WtH1mw784Xrjp9qJqHJBiCpqO+eHpi1jDTkMP+0V+9Qbdt
Q/FaccPJIopeobNTmZhx3ePbl7zabnI3xe/6o3qCT8fKWkKS/wM2x8bggoekxUuF
Wq98JjHvJIxNXchFyD0PwxK41bKJgzgjXMUI0G8Lkav6DEfh9whh6XgJWOdL1D2H
7mUpzbahHzzD36eR9WBsxc51t7ulAKwFyUnZlmEmTxiohzl5v7Qfpx4KSwrczX7a
RnwsR/WNbQQ=
=E/KJ
-----END PGP SIGNATURE-----
--- End Message ---
