Bug 765488 - VUL-1: CVE-2012-2663: iptables: -m tcp --syn behaves unexpectedly
VUL-1: CVE-2012-2663: iptables: -m tcp --syn behaves unexpectedly
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-05 12:49 UTC by Matthias Weckbecker
Modified: 2019-04-11 22:46 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-06-05 12:49:35 UTC
(We have splitted this into two dedicated bugs for better tracking purposes)

Initially the issue was reported as being a kernel DoS (bnc#765102) this can
also lead to certain iptables rules getting bypassed.

Detailed explanation available at:

  http://www.spinics.net/lists/netfilter-devel/msg21248.html
Comment 1 Swamp Workflow Management 2012-06-05 22:00:31 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2012-06-12 15:39:35 UTC
the cve is used here... CVE-2012-2663
Comment 3 Vítězslav Čížek 2014-01-20 15:23:36 UTC
Reading the thread above, they came to conclusion that it's not worth fixing:
http://www.spinics.net/lists/netfilter-devel/msg21259.html

The upstream didn't fix this, nor did Debian or Red Hat.
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675445

Do we want the patch from http://www.spinics.net/lists/netfilter-devel/msg21245.html ?
Comment 4 Sebastian Krahmer 2014-01-21 07:58:53 UTC
But its already fixed via bnc#765102 ?
Above CVE is mentioned there.
Comment 5 Vítězslav Čížek 2014-01-21 10:59:17 UTC
Ok.
As long as our kernels drop the SYN/FIN packets,
we don't have to care about the iptables part.

You can close the bug.
Comment 6 Sebastian Krahmer 2014-01-21 13:06:43 UTC
closing