[kernel] r6606 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Fri May 19 22:04:46 UTC 2006
Author: dannf
Date: Fri May 19 22:04:45 2006
New Revision: 6606
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv4-id-no-increment.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Log:
* ipv4-id-no-increment.dpatch
[SECURITY] Fix vulnerability that allows remote attackers to conduct an
Idle Scan attack, bypassing intended protections against such attacks
See CVE-2006-1242
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Fri May 19 22:04:45 2006
@@ -40,8 +40,12 @@
[SECURITY] Fix remote DoS in SCTP code by discarding unexpected chunks
received in CLOSED state instead of calling BUG()
See CVE-2006-2271
+ * ipv4-id-no-increment.dpatch
+ [SECURITY] Fix vulnerability that allows remote attackers to conduct an
+ Idle Scan attack, bypassing intended protections against such attacks
+ See CVE-2006-1242
- -- dann frazier <dannf at debian.org> Thu, 18 May 2006 18:12:57 -0500
+ -- dann frazier <dannf at debian.org> Fri, 19 May 2006 17:00:22 -0500
kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv4-id-no-increment.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv4-id-no-increment.dpatch Fri May 19 22:04:45 2006
@@ -0,0 +1,50 @@
+Fix for CVE-2006-1242, applies with offset to 2.6.8.
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree 6f78133bf7a06845afee5bcdff7c276bbceaaf55 (from 65851bbf2ab375b4c00f4571dfb5c1003625c12f)
+Author: Alexey Kuznetsov <kuznet at ms2.inr.ac.ru>
+Date: Wed Mar 22 14:34:42 2006 -0800
+
+ [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
+
+ The problem is in ip_push_pending_frames(), which uses:
+
+ if (!df) {
+ __ip_select_ident(iph, &rt->u.dst, 0);
+ } else {
+ iph->id = htons(inet->id++);
+ }
+
+ instead of ip_select_ident().
+
+ Right now I think the code is a nonsense. Most likely, I copied it from
+ old ip_build_xmit(), where it was really special, we had to decide
+ whether to generate unique ID when generating the first (well, the last)
+ fragment.
+
+ In ip_push_pending_frames() it does not make sense, it should use plain
+ ip_select_ident() instead.
+
+ Signed-off-by: Alexey Kuznetsov <kuznet at ms2.inr.ac.ru>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 8ee4d01..f75ff1d 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1249,11 +1249,7 @@ int ip_push_pending_frames(struct sock *
+ iph->tos = inet->tos;
+ iph->tot_len = htons(skb->len);
+ iph->frag_off = df;
+- if (!df) {
+- __ip_select_ident(iph, &rt->u.dst, 0);
+- } else {
+- iph->id = htons(inet->id++);
+- }
++ ip_select_ident(iph, &rt->u.dst, sk);
+ iph->ttl = ttl;
+ iph->protocol = sk->sk_protocol;
+ iph->saddr = rt->rt_src;
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 Fri May 19 22:04:45 2006
@@ -9,3 +9,4 @@
+ binfmt-bad-elf-entry-address.dpatch
+ em64t-uncanonical-return-addr.dpatch
+ sctp-discard-unexpected-in-closed.dpatch
++ ipv4-id-no-increment.dpatch
More information about the Kernel-svn-changes
mailing list