U radu programskog paketa OpenTTD uočeni su novi sigurnosni nedostaci. Udaljeni napadač ih može iskoristiti za dobivanje većih ovlasti, izvršavanje proizvoljnog programskog koda te napad uskraćivanjem usluga (DoS).
Paket:
openttd 1.x
Operacijski sustavi:
Fedora 15, Fedora 16
Kritičnost:
7.5
Problem:
neodgovarajuće rukovanje memorijom, pogreška u programskoj komponenti, preljev međuspremnika
Iskorištavanje:
udaljeno
Posljedica:
dobivanje većih privilegija, proizvoljno izvršavanje programskog koda, uskraćivanje usluga (DoS)
Problemi sigurnosti se javljaju zbog višestrukih preljeva međuspremnika te "off-by-one" ranjivosti u "order_cmd.cpp".
Posljedica:
Udaljeni napadač navedene propuste može iskoristiti za DoS (eng. Denial of Service) napad, povećanje ovlasti te izvršavanje proizvoljnog programskog koda.
Rješenje:
Rješenje problema sigurnosti je korištenje dostupnih nadogradnji.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-0623
2012-01-17 20:06:12
--------------------------------------------------------------------------------
Name : openttd
Product : Fedora 15
Version : 1.1.5
Release : 1.fc15
URL : http://www.openttd.org
Summary : Transport system simulation game
Description :
OpenTTD is modeled after a popular transportation business simulation game
by Chris Sawyer and enhances the game experience dramatically. Many features
were inspired by TTDPatch while others are original.
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2012-0049 openttd: denial of service via slow read attack
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jan 15 2012 Felix Kaechele <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.5-1
- update to 1.1.5
- fixes CVE-2012-0049 (bz #782179)
* Fri Jan 13 2012 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
1.1.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Dec 6 2011 Adam Jackson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.3-2
- Rebuild for new libpng
* Sun Sep 18 2011 Felix Kaechele <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.3-1
- update to 1.1.3
- fixes CVE-2011-3341, CVE-2011-3342 and CVE-2011-3343
* Fri Sep 9 2011 Felix Kaechele <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.2-2
- rebuild for new icu
* Mon Aug 29 2011 Rahul Sundaram <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.2-1
- update to 1.1.2
- drop definition of buildroot, defattr and clean stage
* Sun Jun 12 2011 Felix Kaechele <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.1-1
- update to 1.1.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #782179 - CVE-2012-0049 openttd: denial of service via slow read
attack
https://bugzilla.redhat.com/show_bug.cgi?id=782179
[ 2 ] Bug #772791 - OpenTTD slow read attack
https://bugzilla.redhat.com/show_bug.cgi?id=772791
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update openttd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-0647
2012-01-17 20:07:37
--------------------------------------------------------------------------------
Name : openttd
Product : Fedora 16
Version : 1.1.5
Release : 1.fc16
URL : http://www.openttd.org
Summary : Transport system simulation game
Description :
OpenTTD is modeled after a popular transportation business simulation game
by Chris Sawyer and enhances the game experience dramatically. Many features
were inspired by TTDPatch while others are original.
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2012-0049 openttd: denial of service via slow read attack
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jan 15 2012 Felix Kaechele <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.5-1
- update to 1.1.5
- fixes CVE-2012-0049 (bz #782179)
* Fri Jan 13 2012 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
1.1.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Dec 6 2011 Adam Jackson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.1.3-2
- Rebuild for new libpng
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #782179 - CVE-2012-0049 openttd: denial of service via slow read
attack
https://bugzilla.redhat.com/show_bug.cgi?id=782179
[ 2 ] Bug #772791 - OpenTTD slow read attack
https://bugzilla.redhat.com/show_bug.cgi?id=772791
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update openttd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke