Bug#675445: CVE-2012-2663: Bypass of --syn rules

June 01st, 2012 - 05:30 am ET by Moritz Muehlenhoff | Report spam

Package: iptables
Severity: important
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id6702 for details.

Cheers,
Moritz

To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Follow the discussion Replies

1 reply

Make a reply

Replies

#1 Laurence J. Lane

June 10th, 2012 - 03:00 pm ET | Report spam

On Fri, Jun 1, 2012 at 5:18 AM, Moritz Muehlenhoff
wrote:

Package: iptables
Severity: important
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id6702 for details.

"Only match TCP packets with the SYN bit set and the ACK,RST and FIN
bits cleared"

Going by that description of --syn in iptables(8), I wouldn't expect --syn
to match SYN+FIN packets. I agree with comment in the netfilter-devel
mailing list thread (conveniently linked in the CVE, and predating the CVE)
that says you need an explicit --tcp-flags to match the FIN bit.

Did I miss something?

To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Read all the answers

Bug#675445: CVE-2012-2663: Bypass of --syn rules

Replies

Similar topics