CVE: CAN-2003-0187
Updated: Tue, 06 Jul 2004 14:34:22 +0900
Summary: The connection tracking core of Netfilter for Linux 2.4.20, with
         CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, 
	 allows remote attackers to cause a denial of service (resource 
	 consumption) due to an inconsistency with Linux 2.4.20's support of 
	 linked lists, which causes Netfilter to fail to identify connections 
	 with an UNCONFIRMED status and use large timeouts.
	 (text:CAN-2003-0187)
Priority: High
Status: Closed
Source: RHSA-2003:172-27, Netfilter.Org
Link:  http://www.ultramonkey.org/news_archive.shtml#2003060500
       http://www.ultramonkey.org/news_archive.shtml#2003120800
Resolved In:
  Kernel: 2.4.21-pre6 (Introduced in 2.4.20-pre6)
  Patch:  http://linux.bkbits.net:8080/linux-2.4/cset@1.930.35.21??nav=index.html
  Red Hat Linux 7.3:
          Vendor:      kernel-2.4.20-13.7
          UltraMonkey: kernel-2.4.20-18.7.um.1
  Red Hat Linux 8.0:
          Vendor:      kernel-2.4.20-13.8
          UltraMonkey: kernel-2.4.20-18.8.um.1
  Red Hat Linux 9:
          Vendor:      kernel-2.4.20-13.9
          UltraMonkey: kernel-2.4.20-19.9.um.1 (initial release)
  Fedora Core 1:
          Vendor:      Not Vulnerable (>2.4.20)
          UltraMonkey: Not Vulnerable (>2.4.20)
  Red Hat Enterprise Linux 3:
          Vendor:      Not Vulnerable (>2.4.20)
          UltraMonkey: Not Vulnerable (>2.4.20)
  Debian Woody:
          Vendor:      Not Vulnerable (<2.4.20-pre6)
          UltraMonkey: 2.4.22-4woody.um.1
  Debian Sid:
          Vendor:      kernel-source-2.4.20_2.4.20-13
          UltraMonkey: 2.4.22-4.um.1