View Issue Details

IDProjectCategoryView StatusLast Update
0002853CentOS-5kernelpublic2009-02-18 16:34
Status closedResolutionfixed 
Product Version 
Target VersionFixed in Version5.2 
Summary0002853: Kernel 2.6.18-53.1.21 breaks IPSEC
Descriptionkernel 2.6.18-53.1.21 fixes several Denial of Service attacks in the core of the Linux operating system - has more information about that.

One of the fixes was a fix against the IPsec protocol implementation:

* the possibility of a kernel crash was found in the Linux kernel IPsec
protocol implementation, due to improper handling of fragmented ESP
packets. When an attacker controlling an intermediate router fragmented
these packets into very small pieces, it would cause a kernel crash on the
receiving node during packet reassembly. (CVE-2007-6282, Important)

This "fix" seems to break IPsec completely in the kernel so that it isn't usable anymore. There is an open ticket in upstream's bugzilla about this issue:

As this is only *one* of four different Denial of Service scenarios which are fixed in that kernel and there has been a fix to some soft lockup issues with paravirtualized guests, the CentOS team still recommends to install this kernel, *except* if you absolutely need IPsec and can live with a possible Denial of Service attack as described above. If you need IPsec we advise you to follow for workarounds or wait until a fixed kernel is available.
TagsNo tags attached.




2008-05-27 18:49

reporter   ~0007360

For the benefit of those who do not have access to the upstream bugzilla report, this bug has been fixed in the updated 5.2 kernel (version number 2.6.18-92.el5), and this kernel also contains the CVE-2007-6282 patch. I would recommend that people affected by this bug upgrade to 2.6.18-92.el5.


2008-07-22 09:57

administrator   ~0007734

Could that be related to bug 0002639?


2008-07-22 09:57

administrator   ~0007735

Ermm. #2639 that is (does that now link?)


2009-02-18 16:34

administrator   ~0008734


Issue History

Date Modified Username Field Change
2008-05-21 11:33 range New Issue
2008-05-21 11:34 range Status new => confirmed
2008-05-21 11:40 range Description Updated
2008-05-27 18:49 djao Note Added: 0007360
2008-07-22 09:57 range Note Added: 0007734
2008-07-22 09:57 range Note Added: 0007735
2008-07-22 09:57 range Status confirmed => feedback
2009-02-18 16:34 range Note Added: 0008734
2009-02-18 16:34 range Status feedback => closed
2009-02-18 16:34 range Resolution open => fixed
2009-02-18 16:34 range Fixed in Version => 5.2