Bas Wijnen has reported a vulnerability in Pioneers, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a session object being deleted while still in use. This can be exploited to crash the Pioneers server by sending specially crafted data. The vulnerability is reported in versions prior to 0.11.3. SOLUTION: Update to version 0.11.3.
games, version 0.11.3 is in the tree but ~arch, is it ready for stabilization? please advise.
stablized and removed all but 0.11.3
ok, so we can directly proceed to glsa vote. I tend to vote YES.
(In reply to comment #2) > stablized and removed all but 0.11.3 Should we call in x86, because 0.11.3 is only ~x86 right now?
missed it. fixed it now.
Thanks. Voting YES since it seems unauthenticated users can crash the server.
request filed.
GLSA 200711-20
It seems we only fixed one of the two DoS vulnerabilities discovered. From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449541 As I wrote before, there was a DoS vulnerability in Pioneers. While testing if it also occurred in stable, I found a second problem, which is now also fixed. The fix is uploaded to unstable, and should enter testing in 2 days. The attached patch fixes both problems in stable. To use it: cd /tmp dget -x ftp://ftp.nl.debian.org/debian/pool/main/p/pioneers/pioneers_0.10.2-3.dsc cd pioneers-0.10.2 patch -p2 < /path/to/patch dch -i debuild The problem is documented on http://sourceforge.net/tracker/index.php?func=detail&aid=1786686&group_id=5095&atid=105095 This patch is a combination of the following two patches: http://sourceforge.net/tracker/index.php?func=detail&aid=1791176&group_id=5095&atid=305095 http://sourceforge.net/tracker/index.php?func=detail&aid=1833003&group_id=5095&atid=305095
I added the rest of the patch that wasn't in 0.11.3 and rev bumped it to force it out.
Thanks, we should publish an errata GLSA.
xml updated and errata mail for GLSA-200711-20 sent, closing.
