From CVE request at $URL: "The issue concerns a denial of service vulnerability in the form of a slow read attack preventing anyone to join the server, and preventing the continuation of a game when 'pause on join' is enabled. This attack requires the attacker to be authorized, but most servers do not implement authorization. The first vulnerable version is 0.3.5, the upcoming 1.1.5 release will have the issue fixed. Once a CVE id is allocated, the issue and fix will be documented at http://security.openttd.org/CVE-2012-xxxx"
@games: This is fixed in 1.1.5 released last month. Please provide an updated ebuild.
Hi, I tested in https://bugs.gentoo.org/show_bug.cgi?id=396185 and only version bump of the ebuild and one patch file is needed. I also made a ebuild for 1.2_RC1
1.2.0 added to main tree now by me. @security: Do your magic lads :)
Thanks, Tomáš. Arches, please test and mark stable: =games-simulation/openttd-1.2.0 Target KEYWORDS="amd64 ppc x86"
amd64 stable
Adding opengfx to the list as it seems that with the old one it likes to crash. =games-util/nml-0.2.3 =games-misc/opengfx-0.4.4 =games-simulation/openttd-1.2.0 Adding back amd64 as I had to prune the stabling due to breaking depgraph.
x86 stable, thanks
arm passes
drop to ~ppc; ppc64 passes
Thanks, folks. GLSA Vote: no.
GLSA vote: no.
CVE-2012-0048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0048): OpenTTD 0.3.5 through 1.1.4 allows remote attackers to cause a denial of service (game pause) by connecting to the server and not finishing the (1) authorization phase or (2) map download, aka a "slow read" attack.
