[FS |HSO| Decoy]

Security Update - 27th January 2012

We have just released a security fix for the current exploits, you can access these downloads on our Security page on our downloads pages. These binaries are based on the 2007 ioUrbanTerror which is currently distributed with 4.x

We strongly recommend that all servers admins update their servers. This includes the recent DrDos (DDoS Exploit) fix, as well as all the work done by Rambetter. A big thanks to him !

Our man Barbatos is the maintainer for the security fixes, if you have any further additions in the context of security, please send him a PM.

You are also welcome to comment in our forum.

---

link to original News #351

[QA MajkiFajki]

Wasn't 4.2 were tagged to address those issues? After decision to release HD.

[e-junkie]

is this only for server admins or should i also download this?

[FS Barbatos]

It is only for server admins. Please update your servers ASAP, this DDoS exploit has to be taken seriously.

[QA -WAR- SubJunk]

Thanks a lot for the release guys :)

[|<3| mogul]

Thanks Barbatos, & Rambetter for pursuing the issue so vehemently (not sure who else takes credit as well)

Security fixes are always good thing,in most cases

[Pussnboots]

Progress is AWESOME! And I'm glad you guys are bustin' your ***** to get sh** done.. But I still urge you (FS and ALL Server operators) to read my last post.. This can be VERY serious business with HUGE implications if not adhered to.

http://www.urbanterr...150#entry324082

I don't mean to be a downer, but the above link should describe the true severity of the situation. It could literally cost people hundreds to THOUSANDS of dollars. I don't know about where the laws are elsewhere, but when is this punk is caught in the U.S., He's facing some MAJOR time in the slammer with some NASTY fines as well as some unforgivable and permanent Felonies..

[FS |HSO| RaideR]

Yes, the news was posted about a week early (we wanted to keep the testing up a little longer) until yesterday i received a call saying that we were DDoSing some poor ladies website.

After investigation it was not "our network" but "THE network", of Urban Terror servers DDoS-ing innocent people.

This fix removes there ability to use UrT Servers as vulnerable proxy's. I will be putting into operation in the next few days a master server ban filter that will remove "non-patched" servers from the master list. This will make it so much harder for the DDoS-ers to find the server instances (not impossible sadly). The downside is this WILL remove servers which are not updated.

So take this as a friendly warning! Update now!

[Creation]

RaideR, on 28 January 2012 - 11:13 AM, said:

...

Do i need to install this fix if i had compiled an linux binary(with the exploit fix in it) before this release was available ?

[bc` ItsMe]

@RaideR

RaideR, on 28 January 2012 - 11:13 AM, said:

snip...

This fix removes there ability to use UrT Servers as vunerable proxys. I will be putting into operation in the next few days a master server ban filter that will remove "non-patched" servers from the master list.

At first I want to say that I appreciate the way you take this seriously (TBH, at first [mid/ end December] I've had some doubts about that -> my Post here).

But consider that you walk on a fine line near censorship with this.
Is it really _your_ business to decide what's good (for "the internet", the server owners, the victims of that DDoS) by filtering unpatched servers out? Is it maybe the part of the ISP/ Carrier to see/ find out that these Attacks are happening and do preventing it?

NO! Its the responsibility of the owner of every single server himself! He has to make sure that he is using your provided binary or another fixed one and/ or have a call at his Provider and _order_ him to track those Attacks and block them on the Datacenters Router/ Switch.
When hes not -> his decision -> he has to bear the consequences.

You've asked the Community about if or not to do the Blackout of the Website against SOPA for a free Internet...

Quote

This will make it so much harder for the DDoSers to find the server instances (not impossible sadley).

True, because lots of servers send their Heartbeats to monster.idsoftware.com and/ or master.gamespy.com

Quote

The downside is this WILL remove servers which are not updated.

Thats the goal of it :)

Quote

So take this as a friendly warning! Update now!

Here comes _the_ Question where I want to point to.
I've updated my Servers long _before_ FS released the official Securityfix from the source of ioquake (the ioquake Team fixed the issue in January 2010).
So will you block block _all_ servers out there that are not using _your_ binary?
I don't know what masterserver software do you use - dpmaster (--game-policy reject $NONPATCHEDSERVER)?
How you can make sure that you block just servers that are unpatched (here is the small line of censorship I've talked above) and not servers who use other/ selfcompiled binarys?

PS.
Don't get me wrong - I do not want to troll you I just want to point my finger onto some Problems I see with your decisions regarding these Blocking on the Masterlist. It solves _not_ the Problem.

This post has been edited by ItsMe: 28 January 2012 - 12:38 PM