Package: tremulous Version: 1.1.0-5 Severity: serious Tags: security Justification: RC in maintainer's opinion, facilitates DoS against others
It has been discovered that spoofed "getstatus" UDP requests are used by attackers to direct status responses from multiple Quake 3-based servers to a victim, as a traffic amplification mechanism for a denial of service attack on that victim. Tremulous 1.1.0 appears to be vulnerable to this. This was fixed in ioquake3 r1762, and was reported against openarena/squeeze as Bug #665656. The patch is likely to backport nicely to Tremulous too. If a CVE ID is allocated for this vulnerability, please reference ioquake3 r1762 prominently in any advisory. More details in <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656>, including a list of affected versions. The short version is that Tremulous svn is OK, but both current releases (1.1.0 and GPP1) are vulnerable. S -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

