CVE: CAN-2003-0550
Updated: Tue, 06 Jul 2004 14:30:55 +0900
Summary: The STP protocol, as enabled in Linux 2.4.x, does not provide
         sufficient security by design, which allows attackers to modify 
	 the bridge topology. This bug has been fixed by disabling STP by 
	 default. (text:DSA-358-4)
Priority: High
Status: Closed
Source: DSA-358-4, RHSA-2004:188-14, RHSA-2003:238-16
Link:  http://www.ultramonkey.org/news_archive.shtml#2003080600
       http://www.ultramonkey.org/news_archive.shtml#2003120800
Resolved In:
  Kernel: 2.4.22-pre3
  Patch:  http://linux.bkbits.net:8080/linux-2.4/cset@1.1003.11.4?nav=index.html
  Red Hat Linux 7.3:
          Vendor:      kernel-2.4.20-19.7
          UltraMonkey: kernel-2.4.20-19.7.um.1
  Red Hat Linux 8.0:
          Vendor:      kernel-2.4.20-19.8
          UltraMonkey: kernel-2.4.20-19.8.um.1
  Red Hat Linux 9:
          Vendor:      kernel-2.4.20-19.9
          UltraMonkey: kernel-2.4.20-19.9.um.1 (initial release)
  Fedora Core 1:
          Vendor:      Not Vulnerable (=>2.4.22-pre3)
          UltraMonkey: Not Vulnerable (=>2.4.22-pre3)
  Red Hat Enterprise Linux 3:
          Vendor:      kernel-2.4.21-4.0.1.EL
          UltraMonkey: kernel-2.4.21-9.EL.um.1 (initial release)
  Debian Woody:
          Vendor:      kernel-source-2.4.18_2.4.18-11
          UltraMonkey: kernel-source-2.4.22_2.4.22-1-ipvs_2.4.22-4woody.um.1
  Debian Sid:
          Vendor:      kernel-2.4.21_2.4.21-4
          UltraMonkey: kernel-source-2.4.22_2.4.22-1-ipvs_2.4.22-4.um.1