remove extraneous source quench rule

Bug #1558068 reported by hucste on 2016-03-16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Jamie Strandboge

Bug Description

Into the before.rules, this rule is :

-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT

Segun the draft recommandation IETF about ICMP filtering (2013-2014), source quench is deprecated, and exploited for attacks.
(see: https://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-04#section-2.1.2)

$ ufw --version
ufw 0.34~rc-0ubuntu2
Copyright 2008-2012 Canonical Ltd

# Trusty

CVE References

Jamie Strandboge (jdstrand) wrote :

The Linux kernel was given CVE-2004-0791 for implementing source quench and looking at the kernel sources, I verified it silently ignores this, so the (ancient) rule does not pose a security issue, but it should be removed.

summary: - source quench
+ remove extraneous source quench rule
information type: Private Security → Public
Changed in ufw:
status: New → Fix Committed
importance: Undecided → Low
Jamie Strandboge (jdstrand) wrote :

This is fixed in the new 0.36 release.

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
status: Fix Committed → Fix Released

An upload of ufw to cosmic-proposed has been rejected from the upload queue for the following reason: "All bugs mentioned in the .changes file (so therefore also in the new debian/changelog entries) need to comply with SRU standards (test-case, regression potential). Please re-upload after filling out the required info or modify changelog to exclude irrelevant bug numbers.".

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers