Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] kernel 2.4: ipchains and ip_masq_ftp
  • From: Sergi Puso Gallart <lligalescorts@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 31 Jul 2001 14:01:56 -0500 (CDT)
  • Message-id: <Pine.LNX.3.96.1010731140044.29737A-100000@xxxxxxxxxxxxxxxxxxxxxxx>
maf king wrote:
> One thing to bear in mind with this approach : AFAIK the stock SuSE
7.2
> 2.4.4 kernel hasn't been patched to close the serious security hole in
> ip_conntrack_ftp, so if security is of any importance at all, and you
have
> to allow FTP, 2.2.19 is probably better.

I thought that problem only affected kernels <= 2.4.3. Looking at my
SuSE 7.2 system with a 2.4.4-4GB kernel (default), i see the following
in lines 352-355 of my
/usr/src/linux-2.4.4.SuSE/net/ipv4/netfilter/ip_conntrack_ftp.c:
----
/* Thanks to Cristiano Lincoln Mattos
<lincoln@xxxxxxxxxxxx> for reporting this potential
problem (DMZ machines opening holes to internal
networks, or the packet filter itself). */
if (!loose) goto out;
----
So I would say that this problem has been taken care of... Could someone
from SuSE please confirm this?

Thanks,

Sergi



< Previous Next >