retire CVE-2007-1407

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@865 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 28 insertions, 0 deletions

diff --git a/retired/CVE-2007-1497 b/retired/CVE-2007-1497
new file mode 100644
index 00000000..6868c997
--- /dev/null
+++ b/retired/CVE-2007-1497
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-1497
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 
+Description: 
+ The individual fragments of a packet reassembled by conntrack have
+ the conntrack reference from the reassembled packet attached, but
+ nfctinfo is not copied. This leaves it initialized to 0, which
+ unfortunately is the value of IP_CT_ESTABLISHED.
+ The result is that all IPv6 fragments are tracked as ESTABLISHED,
+ allowing them to bypass a usual ruleset which accepts ESTABLISHED
+ packets early.
+Ubuntu-Description: 
+ The connection tracking module for IPv6 did not properly handle some
+ the status field when reassembling fragmented packets, so that the
+ final packet always had the 'established' state. A remote attacker
+ could exploit this to bypass intended firewall rules.
+Notes: 
+ dannf> code didn't exist in 2.4
+ jmm> code didn't exist in 2.6.8
+Bugs: 
+upstream: released (2.6.20.3, 2.6.21)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-12etch2) [bugfix/nf_conntrack-set-nfctinfo.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-28.54)
+2.6.17-edgy-security: released (2.6.17.1-11.38)
+2.6.20-feisty-security: N/A