From CVE request at $URL:
"The issue concerns a denial of service vulnerability in the form of a
slow read attack preventing anyone to join the server, and preventing
the continuation of a game when 'pause on join' is enabled. This attack
requires the attacker to be authorized, but most servers do not
implement authorization. The first vulnerable version is 0.3.5, the
upcoming 1.1.5 release will have the issue fixed.
Once a CVE id is allocated, the issue and fix will be documented at
@games: This is fixed in 1.1.5 released last month. Please provide an updated ebuild.
Hi, I tested in https://bugs.gentoo.org/show_bug.cgi?id=396185 and only version bump of the ebuild and one patch file is needed. I also made a ebuild for 1.2_RC1
1.2.0 added to main tree now by me.
Do your magic lads :)
Arches, please test and mark stable:
Target KEYWORDS="amd64 ppc x86"
Adding opengfx to the list as it seems that with the old one it likes to crash.
Adding back amd64 as I had to prune the stabling due to breaking depgraph.
x86 stable, thanks
drop to ~ppc; ppc64 passes
Thanks, folks. GLSA Vote: no.
GLSA vote: no.
OpenTTD 0.3.5 through 1.1.4 allows remote attackers to cause a denial of
service (game pause) by connecting to the server and not finishing the (1)
authorization phase or (2) map download, aka a "slow read" attack.