[kernel-sec-discuss] r750 - active
Martin Pitt
mpitt at alioth.debian.org
Wed Apr 25 12:30:24 UTC 2007
Author: mpitt
Date: 2007-04-25 12:30:24 +0000 (Wed, 25 Apr 2007)
New Revision: 750
Added:
active/CVE-2007-1497
Log:
add CVE-2007-1497
Added: active/CVE-2007-1497
===================================================================
--- active/CVE-2007-1497 2007-04-25 11:44:59 UTC (rev 749)
+++ active/CVE-2007-1497 2007-04-25 12:30:24 UTC (rev 750)
@@ -0,0 +1,26 @@
+Candidate: CVE-2007-1497
+References:
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
+Description:
+ The individual fragments of a packet reassembled by conntrack have
+ the conntrack reference from the reassembled packet attached, but
+ nfctinfo is not copied. This leaves it initialized to 0, which
+ unfortunately is the value of IP_CT_ESTABLISHED.
+ The result is that all IPv6 fragments are tracked as ESTABLISHED,
+ allowing them to bypass a usual ruleset which accepts ESTABLISHED
+ packets early.
+Ubuntu-Description:
+ The connection tracking module for IPv6 did not properly handle some
+ the status field when reassembling fragmented packets, so that the
+ final packet always had the 'established' state. A remote attacker
+ could exploit this to bypass intended firewall rules.
+Notes:
+Bugs:
+upstream:
+linux-2.6:
+2.6.18-etch-security: needed
+2.6.8-sarge-security:
+2.4.27-sarge-security:
+2.6.15-dapper-security: needed
+2.6.17-edgy-security: needed
+2.6.20-feisty-security: needed
More information about the kernel-sec-discuss
mailing list