Processed (with 2 errors): Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Processing commands for cont...@bugs.debian.org: > retitle 665656 openarena-server: [CVE-2010-5077] traffic amplification Bug #665656 [openarena-server] openarena-server: is vulnerable for getstatus DRDoS attack Changed Bug title to 'openarena-server: [CVE-2010-5077] traffic amplification' from

Bug#665842: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

retitle 665656 openarena-server: [CVE-2010-5077] traffic amplification via getstatus requests retitle 665842 tremulous: [CVE-2010-5077] traffic amplification via getstatus requests thanks On 26/03/12 11:23, Simon McVittie wrote: > It has been discovered that spoofed "getstatus" UDP requests are be

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

On 26/03/12 11:23, Simon McVittie wrote: > Here's some text for a general advisory I've passed this on to Bugtraq to give it more visibility. S -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

On 26/03/12 06:35, Florian Weimer wrote: > Please set the distribution to squeeze-security, adjust the version > number, build with -sa, and upload to security-master. Uploaded, thanks. If you obtain a CVE number for this, please make sure any advisory prominently mentions ioquake3 r1762 and/or th

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

* Simon McVittie: > Some proposed updates using the patch from ioquake3 are in my home > directory on alioth: > . Patch for review: > Thanks for w

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

On 26.03.2012 00:51, Simon McVittie wrote: > Markus, if you install devscripts and debian-keyring, you should be able > to download the packages from Alioth with dget, and verify the > signatures on them by running dscverify on the .changes file (they're > signed with my GPG key, which is in the De

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Some proposed updates using the patch from ioquake3 are in my home directory on alioth: . Patch for review: Markus, if you install devscripts and d

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

* Simon McVittie: > Dear security team: what do you consider the severity of this bug to be? > Is it the sort of thing you issue DSAs for? So the problem seems to be traffic amplification by a factor or 250. (around 2000 bytes in, 500,000 bytes out). Is this correct? Is there any experience whi

Processed: Re: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Processing commands for cont...@bugs.debian.org: > # mitigated with ioquake3 upstream patch since we switched to > # the shared engine > fixed 665656 0.8.5-6 Bug #665656 [openarena-server] openarena-server: is vulnerable for getstatus DRDoS attack Marked as fixed in versions openarena/0.8.5-6. >

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

# mitigated with ioquake3 upstream patch since we switched to # the shared engine fixed 665656 0.8.5-6 thanks On 25/03/12 00:10, Markus Koschany wrote: > Severity: grave > Tags: security > Justification: user security hole Dear security team: what do you consider the severity of this bug to be? I

Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Package: openarena-server Version: 0.8.5-5+squeeze1 Severity: grave Tags: security Justification: user security hole Dear Maintainer, a few hours ago my openarena server was used for a distributed reflected denial of service attack. I noticed unusual high outgoing traffic on port 27960 (3MB/s) wh