Bug#665842: tremulous: traffic amplification via spoofed getstatus requests
Simon McVittie
smcv at debian.org
Mon Mar 26 14:42:26 UTC 2012
Package: tremulous
Version: 1.1.0-5
Severity: serious
Tags: security
Justification: RC in maintainer's opinion, facilitates DoS against others
It has been discovered that spoofed "getstatus" UDP requests are used by
attackers to direct status responses from multiple Quake 3-based servers
to a victim, as a traffic amplification mechanism for a denial of service
attack on that victim. Tremulous 1.1.0 appears to be vulnerable to this.
This was fixed in ioquake3 r1762, and was reported against openarena/squeeze
as Bug #665656. The patch is likely to backport nicely to Tremulous too.
If a CVE ID is allocated for this vulnerability, please reference
ioquake3 r1762 prominently in any advisory.
More details in <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656>,
including a list of affected versions. The short version is that Tremulous
svn is OK, but both current releases (1.1.0 and GPP1) are vulnerable.
S
More information about the Pkg-games-devel
mailing list