Bug 459942 - kernel: nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization [mrg-1]
kernel: nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization [...
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-kernel (Show other bugs)
All Linux
high Severity high
: 1.0.3
: ---
Assigned To: Red Hat Real Time Maintenance
Depends On:
  Show dependency treegraph
Reported: 2008-08-24 21:02 EDT by Eugene Teo (Security Response)
Modified: 2008-10-07 15:20 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-07 15:20:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch for this issue (1.97 KB, patch)
2008-08-24 21:03 EDT, Eugene Teo (Security Response)
no flags Details | Diff
Patch for MRG (2.91 KB, patch)
2008-09-09 15:55 EDT, Luis Claudio R. Goncalves
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2008-08-24 21:02:31 EDT
Description of problem:
Use incoming network tuple as seed for NAT port randomization. This avoids concerns of leaking net_random() bits, and also gives better port distribution.
Comment 2 Eugene Teo (Security Response) 2008-08-24 21:03:59 EDT
Created attachment 314889 [details]
Upstream patch for this issue
Comment 5 Luis Claudio R. Goncalves 2008-09-09 15:55:36 EDT
Created attachment 316250 [details]
Patch for MRG

Queued for -79
Comment 7 David Sommerseth 2008-09-24 04:43:35 EDT
Verified that the "Patch for MRG" (https://bugzilla.redhat.com/attachment.cgi?id=316250) is added in the mrg-rt- source tree.  mrg-rt.git commit 256fe604b0cec4145abe5d7ebacb92fef8709b5a
Comment 9 errata-xmlrpc 2008-10-07 15:20:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.