should block ipv6 RH0

Bug #740249 reported by Jamie Strandboge on 2011-03-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
High
Jamie Strandboge
Maverick
High
Jamie Strandboge
Natty
High
Jamie Strandboge

Bug Description

Binary package hint: ufw

The following should be added to before6.rules, after the loopback rules:
# drop packets with RH0 headers
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP

See IPv6 Routing Header Security by Philippe Biondi and Arnaud Ebalard released at CanSecWest 2007 for more information about this issue (http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf).

Related branches

Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
status: New → In Progress
Changed in ufw (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Natty):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.30.1-1ubuntu1

---------------
ufw (0.30.1-1ubuntu1) natty; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - debian/rules: Don't install the upstream application profiles that are
      shipped with the Debian package.
    - debian/control: use ufw-0.30-natty for Vcs-Bzr

ufw (0.30.1-1) unstable; urgency=low

  * New upstream release which fixes the following:
    - LP: #501140
    - LP: #740249
    - LP: #740256
    - LP: #720605
  * debian/ufw.logrotate: remove upstartism thanks to Michael Biebl
    (Closes: 607696)
  * debian/sysctl.conf: merge in upstream (commented out) changes surrounding
    ipv6 forwarding and privacy addresses
  * debian/before*.rules.md5sum: updated for recent changes
 -- Jamie Strandboge <email address hidden> Tue, 22 Mar 2011 12:18:42 -0500

Changed in ufw (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in ufw (Ubuntu Maverick):
status: Triaged → Won't Fix
no longer affects: ufw (Ubuntu Lucid)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers