Candidate: CVE-2007-1497
References: 
 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 
Description: 
 The individual fragments of a packet reassembled by conntrack have
 the conntrack reference from the reassembled packet attached, but
 nfctinfo is not copied. This leaves it initialized to 0, which
 unfortunately is the value of IP_CT_ESTABLISHED.
 The result is that all IPv6 fragments are tracked as ESTABLISHED,
 allowing them to bypass a usual ruleset which accepts ESTABLISHED
 packets early.
Ubuntu-Description: 
 The connection tracking module for IPv6 did not properly handle some
 the status field when reassembling fragmented packets, so that the
 final packet always had the 'established' state. A remote attacker
 could exploit this to bypass intended firewall rules.
Notes: 
 dannf> code didn't exist in 2.4
 jmm> code didn't exist in 2.6.8
Bugs: 
upstream: released (2.6.20.3, 2.6.21)
linux-2.6: released (2.6.20-1)
2.6.18-etch-security: released (2.6.18.dfsg.1-12etch2) [bugfix/nf_conntrack-set-nfctinfo.patch]
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.6.15-dapper-security: released (2.6.15-28.54)
2.6.17-edgy-security: released (2.6.17.1-11.38)
2.6.20-feisty-security: N/A