Date: Sat, 2 Aug 2003 16:34:17 +0200 From: Netfilter Core Team To: Netfilter Announcement List Cc: vendor-sec@lst.de, bugtraq@securityfocus.com, lwn@lwn.net Subject: [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle) Netfilter Core Team Security Advisory CVE: CAN-2003-0467 Subject: Netfilter / NAT Remote DoS Released: 01 Aug 2003 Effects: Under limited circumstances, a remote user may be able to crash a machine doing Network Address Translation (NAT). Estimated Severity: Medium. Systems Affected: Linux 2.4.20 kernels and recent 2.5 kernels with CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC enabled, or the ip_nat_ftp or ip_nat_irc modules loaded, on which ftp and irc users are not packet filtered out. Solution: BEST: Upgrade to Linux kernels 2.4.21 (stable), or apply the patch below. OR: As a workaround, the modules can be removed, or iptables can be used to block untrusted users from initiating ftp or irc connections through the NAT machine. Details: This was verified by Rusty Russell on 2.4.20, and verified fixed with this patch. Vendor Statement: Red Hat: All of the 2.4.20-based kernels shipped by Red Hat already contain the patch and are not vulnerable to this issue. Others: unknown Credits: The problem was found, and the fix implemented by the Netfilter Core Team. Contact: coreteam@netfilter.org patch is on the URL
Same as #26106
This was fixed and is also for two kernel revisions ago. changing resolution to FIXED