On Wed, Sep 10, 2003 at 08:32:32AM -0400, Herbert Xu wrote: > Changes: > kernel-source-2.4.20 (2.4.20-3woody.12) stable; urgency=low > . > * Fixed conntrack DoS (netfilter): > . include/linux/netfilter_ipv4/ip_conntrack.h > . net/ipv4/netfilter/ip_conntrack_core.c > . net/ipv4/netfilter/ip_conntrack_proto_tcp.c > . net/ipv4/netfilter/ip_conntrack_proto_udp.c > . net/ipv4/netfilter/ip_conntrack_standalone.c
I guess this a fix for one of the vulnerabilities announced by netfilter team at the beginning of August: http://lists.netfilter.org/pipermail/netfilter-devel/2003-August/012151.html (Conntrack list_del() DoS) How about the second message posted on the same day? (NAT Remote DOS (SACK mangle)): http://lists.netfilter.org/pipermail/netfilter-devel/2003-August/012152.html Herbert, aren't you going to patch it as well? Or maybe this is the bug fixed in kernel-source-2.4.3 (2.4.3-4), back in April (Bug#94216)? (The urls in the bug report are not valid any more, so I can't check.) regards, Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
