Description: The Linux Kernel contains a flaw that may allow a local denial of service. The issue is triggered when a route for a multicast IP address is requested, and will result in a kernel panic cause by a NULL pointer dereference, and therefore lead to loss of availability for the platform. Vulnerability Classification: * Local/Shell Access Required * Denial Of Service Attack * Loss Of Availability * Exploit Available * Verified Products: * Linux Kernel 2.6.16.7 Solution: Upgrade to version 2.6.16.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Manual Testing Notes: Steps to reproduce: run shell command $ ip ro get 224.0.0.1 iif eth0" External References: * CVE ID: 2006-1525 * Bugtraq ID: 17593 * ISS X-Force ID: 25872 * Secunia Advisory ID: 19709 * Secunia Advisory ID: 19735 * Vendor Specific News/Changelog Entry: http://bugzilla.kernel.org/show_bug.cgi?id=6388 * Vendor Specific News/Changelog Entry: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.8 Credit: * Alexandra Kossovsky rgds Daxomatic
Maintainers, please bump to 2.6.16.14 preferably: rsbac-sources: kang usermode-sources: dsd xbox-sources: chrb xen-sources: chrb
usermode-sources fixed thanks to dang
All done (apart from sh-sources and rsbac-sources (masked)); resolving.
CVE-2006-1525: ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to cause a denial of service (panic) via a request for a route for a multicast IP address, which triggers a null dereference.