should block ipv6 RH0
Bug #740249 reported by
Jamie Strandboge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
Maverick |
Won't Fix
|
High
|
Jamie Strandboge | ||
Natty |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
Binary package hint: ufw
The following should be added to before6.rules, after the loopback rules:
# drop packets with RH0 headers
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP
See IPv6 Routing Header Security by Philippe Biondi and Arnaud Ebalard released at CanSecWest 2007 for more information about this issue (http://
Related branches
Changed in ufw (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in ufw (Ubuntu Lucid): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in ufw (Ubuntu Maverick): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in ufw (Ubuntu Natty): | |
status: | In Progress → Fix Committed |
Changed in ufw (Ubuntu Maverick): | |
status: | Triaged → Won't Fix |
no longer affects: | ufw (Ubuntu Lucid) |
To post a comment you must log in.
This bug was fixed in the package ufw - 0.30.1-1ubuntu1
---------------
ufw (0.30.1-1ubuntu1) natty; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/rules: Don't install the upstream application profiles that are
shipped with the Debian package.
- debian/control: use ufw-0.30-natty for Vcs-Bzr
ufw (0.30.1-1) unstable; urgency=low
* New upstream release which fixes the following: ufw.logrotate: remove upstartism thanks to Michael Biebl before* .rules. md5sum: updated for recent changes
- LP: #501140
- LP: #740249
- LP: #740256
- LP: #720605
* debian/
(Closes: 607696)
* debian/sysctl.conf: merge in upstream (commented out) changes surrounding
ipv6 forwarding and privacy addresses
* debian/
-- Jamie Strandboge <email address hidden> Tue, 22 Mar 2011 12:18:42 -0500