[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    IPFilter 4.1.23
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2007-05-31 13:21:33
Message-ID: 465ECBDD.4060307 () reed ! wattle ! id ! au
[Download RAW message or body]

In the never ending quest for perfection and chasing
platform changes, this latest update fixes some bugs
that are new and some that are old.

I've also added this extra line to "ipfstat -s" output:
        82% hash efficiency

The routing header problem is perhaps the most serious
from a security perspective - if you weren't (or aren't)
blocking these packets explicitly, e.g

block in quick with v6hdrs routing

then the presence of the routing header would cause ipf
to not find the next (TCP/UDP) header in the correct place.
A regression test (ipv6.5) has been added to check for
dealing with IPv6 routing header packets.

Darren

http://coombs.anu.edu.au/~avalon/ip_fil4.1.23.tar.gz
http://coombs.anu.edu.au/~avalon/patch-4.1.23.gz

4.1.23 - Released 31 May 2007

NAT was not always correctly fixing ICMP headers for errors

some TCP state steps when closing do not update timeouts, leading to
them being removed prematurely.

fix compilation problems for netbsd 4.99

protect enumeration of lists in the kernel from callout interrupts on
BSD without locking

fix various problems with IPv6 header checks: TCP/UDP checksum validation
was not being done, fragmentation header parsed dangerously and routing
header prevented others from being seen

fix gcc 4.2 compiler warnings

fix TCP/UDP checksum calculation for IPv6

fix reference after free'ing ipftoken memory

4.1.22 - Released 13 May 2007

MD5 (ip_fil4.1.23.tar.gz) = f770ab22be017ccd9547c59f21dbbb11
MD5 (patch-4.1.23.gz) = bb64bd7102622dbea98a872a7b53ec90

[prev in list] [next in list] [prev in thread] [next in thread]