[Savannah-hackers] http://www.secunia.com/advisories/8786/

[Mathieu Roy]

Are GNU Machines updated regarding this bug?




http://www.secunia.com/advisories/8786/

Description:
A vulnerability has been identified in the Linux Kernel 2.4 branch, which can 
be exploited by malicious people to cause a Denial of Service condition.

The problem is the way that the Linux Kernel handles caching of routing 
information. By flooding a Linux system with packets with spoofed source 
addresses, the handling of the cache will consume large amounts of CPU power. 
This could potentially bring a Linux system offline with a rate of only 400 
packets per second by using carefully chosen source addresses that causes hash 
collisions in the table.

A Denial of Service could still be performed if the system uses iptables 
(netfilter) to filter traffic. This is even possible with randomly chosen IP 
addresses that doesn't cause a hash collision, since it just requires a higher 
rate of packets.

For further details about how this feature back fired see "Other References".
Solution:
We are not aware of an official patch or update for the Linux Kernel.

A temporary workaround could be to filter traffic using the PREROUTING chain 
instead of the INPUT chain in iptables, as PREROUTING is performed before the 
route cache. This would only require minor changes to the filter rules.

Red Hat has issued updated kernel packages. These also fix certain non-security 
related issues (see Red Hat advisory for details):

-- 
Mathieu Roy
 
  Homepage:
    http://yeupou.coleumes.org
  Not a native english speaker: 
    http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english