From f359eab080c47c6427c82f7a5e3fed6077a46ec7 Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Thu, 21 Jun 2007 12:58:59 +0000 Subject: retire CVE-2007-1407 git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@865 e094ebfe-e918-0410-adfb-c712417f3574 --- retired/CVE-2007-1497 | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 retired/CVE-2007-1497 (limited to 'retired/CVE-2007-1497') diff --git a/retired/CVE-2007-1497 b/retired/CVE-2007-1497 new file mode 100644 index 00000000..6868c997 --- /dev/null +++ b/retired/CVE-2007-1497 @@ -0,0 +1,28 @@ +Candidate: CVE-2007-1497 +References: + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 +Description: + The individual fragments of a packet reassembled by conntrack have + the conntrack reference from the reassembled packet attached, but + nfctinfo is not copied. This leaves it initialized to 0, which + unfortunately is the value of IP_CT_ESTABLISHED. + The result is that all IPv6 fragments are tracked as ESTABLISHED, + allowing them to bypass a usual ruleset which accepts ESTABLISHED + packets early. +Ubuntu-Description: + The connection tracking module for IPv6 did not properly handle some + the status field when reassembling fragmented packets, so that the + final packet always had the 'established' state. A remote attacker + could exploit this to bypass intended firewall rules. +Notes: + dannf> code didn't exist in 2.4 + jmm> code didn't exist in 2.6.8 +Bugs: +upstream: released (2.6.20.3, 2.6.21) +linux-2.6: released (2.6.20-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-12etch2) [bugfix/nf_conntrack-set-nfctinfo.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: released (2.6.15-28.54) +2.6.17-edgy-security: released (2.6.17.1-11.38) +2.6.20-feisty-security: N/A -- cgit v1.2.3