Candidate: CVE-2006-1242 References: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1a55d57b107c3e06935763905dc0fb235214569d Description: [TCP]: Do not use inet->id of global tcp_socket when sending RST. . The problem is in ip_push_pending_frames(), which uses: . if (!df) { . __ip_select_ident(iph, &rt->u.dst, 0); . } else { . iph->id = htons(inet->id++); . } . instead of ip_select_ident(). . Right now I think the code is a nonsense. Most likely, I copied it from old ip_build_xmit(), where it was really special, we had to decide whether to generate unique ID when generating the first (well, the last) fragment. . In ip_push_pending_frames() it does not make sense, it should use plain ip_select_ident() instead. Notes: jmm> 2.4 doesn't seem to be affected, but I'd prefer a second look before jmm> marking it N/A . dannf> troyh gave me a patch for 2.4, so I guess it is affected Bugs: upstream: released (2.6.16.1) linux-2.6: released (2.6.16-4) 2.6.8-sarge-security: released (2.6.8-16sarge3) 2.4.27-sarge-security: released (2.4.27-10sarge3) 2.4.19-woody-security: 2.4.18-woody-security: 2.4.17-woody-security: 2.4.16-woody-security: 2.4.17-woody-security-hppa: 2.4.17-woody-security-ia64: