190030 – net-firewall/nufw < 2.2.4 rule bypass (CVE-2007-4461)

Bug 190030 - net-firewall/nufw < 2.2.4 rule bypass (CVE-2007-4461)

Summary: net-firewall/nufw < 2.2.4 rule bypass (CVE-2007-4461)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/26546/
Whiteboard:	~4 [noglsa] p-y
Keywords:

Depends on:
Blocks:

Reported:	2007-08-24 11:38 UTC by Pierre-Yves Rofes (RETIRED)
Modified:	2007-08-24 20:46 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-08-24 11:38:03 UTC

A security issue has been reported in NuFW, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to NuFW not correctly dropping packets with an out of period arrival time, which can be exploited to bypass the filtering rules.

The security issue is reported in versions 2.2.x up to but not including 2.2.4.

Solution:
Update to version 2.2.4.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-08-24 11:40:28 UTC

setting status / cc'ing. cedk, please bump as necessary.

Comment 2 Cédric Krier gentoo-dev

2007-08-24 18:43:25 UTC

Version bump to 2.2.4 in cvs
Need perhaps to mask the version 2.2.0 ?

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-08-24 19:40:00 UTC

Thx for the quick response cedk. Masking or purging would be nice but not required.

Comment 4 Cédric Krier gentoo-dev

2007-08-24 20:46:10 UTC

Remove from cvs