From coreteam@netfilter.org Sat Aug 2 16:33:41 2003 Date: Sat, 2 Aug 2003 16:33:41 +0200 To: Netfilter Announcement List Cc: vendor-sec@lst.de, bugtraq@securityfocus.com, lwn@lwn.net Subject: [SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS Netfilter Core Team Security Advisory CVE: CAN-2003-0187 Subject: Netfilter / Connection Tracking Remote DoS Released: 01 Aug 2003 Effects: Any remote user may be able to DoS a machine with netfilter connection tracking when running a specific version of the Linux kernel. Estimated Severity: High. Systems Affected: Linux 2.4.20 kernels (kernels <= 2.4.19 and >= 2.4.21 NOT affected) CONFIG_IP_NF_CONNTRACK enabled, or the ip_conntrack module loaded. Solution: BEST: Upgrade to Linux kernels 2.4.21 (stable), or apply the patch below. OR: Do not use connection tracking on 2.4.20 based systems. Details: The 2.4.20 kernel introduced a change in the behaviour of the generic linked list support. The connection tracking core relies on the old behaviour to identify 'UNCONFIRMED' connections. 'UNCONFIRMED' means we've seen traffic only in one direction, but not in the other. Since connection tracking was unable to identify such connections correctly anymore, they've been assigned a very high timeout. The patch below changes the connection tracking core to no longer rely on any specific behaviour of the linux linked listed API. Vendor Statement: Red Hat: Patches for this issue were first introduced in RHSA-2003:17 Others: unknown Credits: The problem was found, and the fix implemented by the Netfilter Core Team. Contact: coreteam@netfilter.org Patch is on the URL
gentoo-sources-2.4.20-r5 is NOT vulnerable to this. Question is how much time should be spent on all the other kernels we have?
as much time as it takes for them all to be removed from the tree/patched ;)
This was 2 kernel revisions ago. I'm changing resolution to fixed.
