First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 26106
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Martin Holzer (RETIRED) <mholzer@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 26106 depends on: Show dependency tree
Bug 26106 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-08-06 23:51 0000 
From coreteam@netfilter.org Sat Aug  2 16:33:41 2003
Date: Sat, 2 Aug 2003 16:33:41 +0200
To: Netfilter Announcement List 
Cc: vendor-sec@lst.de, bugtraq@securityfocus.com, lwn@lwn.net
Subject: [SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS

                  Netfilter Core Team Security Advisory
                  
                           CVE: CAN-2003-0187

Subject:

  Netfilter / Connection Tracking Remote DoS

Released:

  01 Aug 2003

Effects:

  Any remote user may be able to DoS a machine with netfilter connection
  tracking when running a specific version of the Linux kernel.

Estimated Severity:
  High.

Systems Affected:

  Linux 2.4.20 kernels (kernels <= 2.4.19 and >= 2.4.21 NOT affected)
  CONFIG_IP_NF_CONNTRACK enabled, or the ip_conntrack module loaded.

Solution:

  BEST: Upgrade to Linux kernels 2.4.21 (stable), or apply the patch below.

  OR: Do not use connection tracking on 2.4.20 based systems.

Details:

  The 2.4.20 kernel introduced a change in the behaviour of the generic
  linked list support.  The connection tracking core relies on the old
  behaviour to identify 'UNCONFIRMED' connections.  
  
  'UNCONFIRMED' means we've seen traffic only in one direction, but not
  in the other.  Since connection tracking was unable to identify such
  connections correctly anymore, they've been assigned a very high
  timeout.

  The patch below changes the connection tracking core to no longer rely
  on any specific behaviour of the linux linked listed API.

Vendor Statement:

  Red Hat: Patches for this issue were first introduced in RHSA-2003:17
  Others: unknown

Credits:
  The problem was found, and the fix implemented by the Netfilter Core Team.

Contact:
  coreteam@netfilter.org


Patch is on the URL

------- Comment #1 From Daniel Ahlberg (RETIRED) 2003-08-07 19:04:57 0000 ------- 
gentoo-sources-2.4.20-r5 is NOT vulnerable to this. Question is how much time 
should be spent on all the other kernels we have?

------- Comment #2 From SpanKY 2003-08-07 19:12:13 0000 ------- 
as much time as it takes for them all to be removed from the tree/patched ;)

------- Comment #3 From solar 2003-09-21 23:40:21 0000 ------- 
This was 2 kernel revisions ago. I'm changing resolution to fixed.
First Last Prev Next    No search results available      Search page      Enter new bug