Ubuntu
ufw package

should block ipv6 RH0

Bug #740249 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw (Ubuntu)
Fix Released
High
Jamie Strandboge
Maverick
Won't Fix
High
Jamie Strandboge
Natty
Fix Released
High
Jamie Strandboge

Bug Description

Binary package hint: ufw

The following should be added to before6.rules, after the loopback rules:
# drop packets with RH0 headers
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP

See IPv6 Routing Header Security by Philippe Biondi and Arnaud Ebalard released at CanSecWest 2007 for more information about this issue (http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf).

Related branches

lp:debian/ufw
Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
status: New → In Progress
Changed in ufw (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Natty):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.30.1-1ubuntu1

---------------
ufw (0.30.1-1ubuntu1) natty; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - debian/rules: Don't install the upstream application profiles that are
      shipped with the Debian package.
    - debian/control: use ufw-0.30-natty for Vcs-Bzr

ufw (0.30.1-1) unstable; urgency=low

  * New upstream release which fixes the following:
    - LP: #501140
    - LP: #740249
    - LP: #740256
    - LP: #720605
  * debian/ufw.logrotate: remove upstartism thanks to Michael Biebl
    (Closes: 607696)
  * debian/sysctl.conf: merge in upstream (commented out) changes surrounding
    ipv6 forwarding and privacy addresses
  * debian/before*.rules.md5sum: updated for recent changes
 -- Jamie Strandboge <email address hidden> Tue, 22 Mar 2011 12:18:42 -0500

Changed in ufw (Ubuntu Natty):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in ufw (Ubuntu Maverick):
status: Triaged → Won't Fix
Jamie Strandboge (jdstrand)
no longer affects: ufw (Ubuntu Lucid)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.