Candidate: CVE-2005-4441
References: 
 BUGTRAQ:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional
 URL:http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded
 BUGTRAQ:20051219 Re: Making unidirectional VLAN and PVLAN jumping bidirectional
 URL:http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded
 FULLDISC:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional
 URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html
Description: 
 The PVLAN protocol allows remote attackers to bypass network segmentation and
 spoof PVLAN traffic via a PVLAN message with a target MAC address that is set
 to a gateway router, which causes the packet to be sent to the router, where
 the source MAC is modified, aka "Modification of the MAC spoofing PVLAN
 jumping attack," as demonstrated by pvlan.c.
Notes: 
 Quoting Horms:
 I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects
 Linux because of the following line near the bottom of vlan_skb_recv().
 .
 skb->protocol = __constant_htons(ETH_P_802_2);
 .
 I'm looking at Linus' Git tree as of this morning,
 but I don't think there have been any relevnant changes
 since Git began at 2.6.12-rc2.
 .
 This seems to imply that further processing will treat the packet
 as an ethernet frame. Though I need to double check that it
 can't be passed back into the vlan code. I'm doing that now,
 but in about 15 minutes I have to leave, and I'll be on
 leave for 6 days. At home, and possibly looking into this problem,
 but not at my desk working sensible hours.
 .
 As for 2 (PVLAN jumping). I haven't looked into that yet but
 it seems quite plausible.
 .
 dannf> Horms believes these to be protocol bugs - they are legal
 dannf> things to do.  Therefore, we're gonna ignore them for the sarge2
 dannf> series of kernels & follow what upstream does.
Bugs: 
upstream: 
linux-2.6:
2.6.8-sarge-security: ignored (2.6.8-16sarge5)
2.4.27-sarge-security: ignored (2.4.27-10sarge4)
2.6.18-etch-security: