Candidate: CVE-2005-4440
References: 
 http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded
 http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded
 http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html
Description: 
 The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic
 via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream
 switch after the first tag has been stripped, as demonstrated by Yersinia, aka "double-tagging VLAN
 jumping attack."
Notes:
 Quoting Horms:
 I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects
 Linux because of the following line near the bottom of vlan_skb_recv().
 .
 skb->protocol = __constant_htons(ETH_P_802_2);
 .
 I'm looking at Linus' Git tree as of this morning,
 but I don't think there have been any relevnant changes
 since Git began at 2.6.12-rc2.
 .
 This seems to imply that further processing will treat the packet
 as an ethernet frame. Though I need to double check that it
 can't be passed back into the vlan code. I'm doing that now,
 but in about 15 minutes I have to leave, and I'll be on
 leave for 6 days. At home, and possibly looking into this problem,
 but not at my desk working sensible hours.
 .
 As for 2 (PVLAN jumping). I haven't looked into that yet but
 it seems quite plausible.
 .
 dannf> Horms believes these to be protocol bugs - they are legal
 dannf> things to do.  Therefore, we're gonna ignore them for the sarge2
 dannf> series of kernels & follow what upstream does.
Bugs: 
upstream: 
linux-2.6:
2.6.8-sarge-security: ignored (2.6.8-16sarge5)
2.4.27-sarge-security: ignored (2.4.27-10sarge4)
2.6.18-etch-security: