242706 – (CVE-2008-4576) Kernel: <2.6.25.18 sctp DOS via INIT-ACK (CVE-2008-4576)

Bug 242706 (CVE-2008-4576) - Kernel: <2.6.25.18 sctp DOS via INIT-ACK (CVE-2008-4576)

Summary: Kernel: <2.6.25.18 sctp DOS via INIT-ACK (CVE-2008-4576)

Status:	RESOLVED FIXED

Alias:	CVE-2008-4576

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://git.kernel.org/?p=linux/kernel...
Whiteboard:	[linux <2.6.25.18]
Keywords:

Depends on:
Blocks:

Reported:	2008-10-19 03:38 UTC by Stefan Behte (RETIRED)
Modified:	2013-09-05 02:48 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2008-10-19 03:38:13 UTC

CVE-2008-4576 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4576):
  sctp in Linux kernel before 2.6.25.18 allows remote attackers to
  cause a denial of service (OOPS) via an INIT-ACK that states the peer
  does not support AUTH, which causes the sctp_process_init function to
  clean up active transports and triggers the OOPS when the T1-Init
  timer expires.

Comment 1 kfm 2008-10-19 15:18:09 UTC

Removing hardened; it's already incorporated in hardened-sources-2.6.25-r8, which is keyworded stable for all arches that the herd is able to test for (x86/amd64/ppc).