Linux SCTP before 2.6.17 allows remote attackers to cause a denial of service via incoming IP fragmented COOKIE_ECHO and HEARTBEAT SCTP control chunks. This issue hasn't been reproduced with RHEL4, but the vulnerable code is the same as upstream. The upstream fix can be found here: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=62b08083ec3dbfd7e533c8d230dd1d8191a6e813
committed in stream U4 build 36.1. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0493.html