mailing list archives
Re: CVE-2010 Request: quake3 / openarena-server: DDoS by processing 'getstatus' and 'rcon' packets
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 26 Mar 2012 12:48:56 -0600
On 03/26/2012 07:09 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,
yet in 2010 the following problem has been corrected in Quake3 /
A distributed denial of service flaw was found in the way Quake3 Arena /
OpenArena servers used to handle 'getstatus' and 'rcon' (remote command)
connectionless requests. A remote attacker could use this flaw to perform
distributed denial of service attack against the target server IP
spoofing certain packets.
Relevant upstream patch:
Could you allocate a CVE-2010-* CVE identifier for this issue?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
P.S.: There doesn't seem to be a CVE identifier for this issue yet:
mentions various Quake3 related security flaws, but doesn't
this concrete issue yet.
Please use CVE-2010-5077 for this issue.
Kurt Seifried Red Hat Security Response Team (SRT)