Bas Wijnen has reported a vulnerability in Pioneers, which can be
exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to a session object being deleted
while still in use. This can be exploited to crash the Pioneers
server by sending specially crafted data.
The vulnerability is reported in versions prior to 0.11.3.
Update to version 0.11.3.
games, version 0.11.3 is in the tree but ~arch, is it ready for stabilization? please advise.
stablized and removed all but 0.11.3
ok, so we can directly proceed to glsa vote.
I tend to vote YES.
(In reply to comment #2)
> stablized and removed all but 0.11.3
Should we call in x86, because 0.11.3 is only ~x86 right now?
missed it. fixed it now.
Voting YES since it seems unauthenticated users can crash the server.
It seems we only fixed one of the two DoS vulnerabilities discovered.
As I wrote before, there was a DoS vulnerability in Pioneers. While
testing if it also occurred in stable, I found a second problem, which
is now also fixed. The fix is uploaded to unstable, and should enter
testing in 2 days. The attached patch fixes both problems in stable.
To use it:
dget -x ftp://ftp.nl.debian.org/debian/pool/main/p/pioneers/pioneers_0.10.2-3.dsc
patch -p2 < /path/to/patch
The problem is documented on
This patch is a combination of the following two patches:
I added the rest of the patch that wasn't in 0.11.3 and rev bumped it to force it out.
Thanks, we should publish an errata GLSA.
xml updated and errata mail for GLSA-200711-20 sent, closing.