Your submission was sent successfully! Close

CVE-2008-4576

Published: 15 October 2008

sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial of service (OOPS) via an INIT-ACK that states the peer does not support AUTH, which causes the sctp_process_init function to clean up active transports and triggers the OOPS when the T1-Init timer expires.

From the Ubuntu security team

It was discovered that the SCTP stack did not correctly handle INIT-ACK. A remote user could exploit this by sending specially crafted SCTP traffic which would trigger a crash in the system, leading to a denial of service. This issue did not affect Ubuntu 8.10.

Priority

Low

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
dapper Does not exist

gutsy Does not exist

hardy
Released (2.6.24-22.45)
intrepid Not vulnerable

upstream
Released (2.6.27~rc7)
Patches:
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=add52379dde2e5300e2d574b172e62c6cf43b3d3
linux-source-2.6.15
Launchpad, Ubuntu, Debian
dapper
Released (2.6.15-53.74)
gutsy Does not exist

hardy Does not exist

intrepid Does not exist

upstream
Released (2.6.27~rc7)
linux-source-2.6.22
Launchpad, Ubuntu, Debian
dapper Does not exist

gutsy
Released (2.6.22-16.60)
hardy Does not exist

intrepid Does not exist

upstream
Released (2.6.27~rc7)