About
Coreteam
Contributors
History
License
Thanks
PGP key
Projects
iptables
nftables
libnftnl
libnfnetlink
libnetfilter_acct
libnetfilter_log
libnetfilter_queue
libnetfilter_conntrack
libnetfilter_cttimeout
libnetfilter_cthelper
conntrack-tools
libmnl
nfacct
ipset
nf-hipac
patch-o-matic-ng
ulogd
xtables-addons
Downloads
git Repository
ftp Server
rsync Server
News
libmnl 1.0.4 released
public statement on GPL compliance
nftables 0.6 released
libnftnl 1.0.6 released
iptables 1.6.0 released
new PGP keys
nftables 0.5 released
libnftnl 1.0.5 released
libnftnl 1.0.4 released
conntrack-tools 1.4.3 released
libnetfilter_conntrack 1.0.5 released
ulogd 2.0.5 released
nftables 0.4 released
libnftnl 1.0.3 released
nftables 0.3 released
libnftnl 1.0.2 released
libnftnl 1.0.1 released
nftables 0.2 released
ulogd 2.0.4 released
nftables 0.099 released
libnftnl 1.0.0 released
iptables 1.4.21 released
ulogd 2.0.3 released
conntrack-tools 1.4.2 released
iptables 1.4.20 released
libnetfilter_conntrack 1.0.4 released
iptables 1.4.19.1 released
iptables 1.4.19 released
libnetfilter_conntrack 1.0.3 released
iptables 1.4.18 released
ulogd 2.0.2 released
nfacct 1.0.1 released
conntrack-tools 1.4.1 released
libnetfilter_acct 1.0.2 released
iptables 1.4.17 released
New ulogd2 maintainer
Netfilter core team updates
iptables 1.4.16.3 released
libnetfilter_acct 1.0.1 released
libnetfilter_cthelper 1.0.0 released
ulogd 2.0.1 released
conntrack-tools 1.4.0 released
libnetfilter_queue 1.0.2 released
libnetfilter_conntrack 1.0.2 released
libnfnetlink 1.0.1 released
iptables 1.4.16.2 released
iptables 1.4.16.1 released
iptables 1.4.16 released
conntrack-tools 1.2.2 released
iptables 1.4.15 released
ulogd 2.0.0 released
conntrack-tools 1.2.1 released
libmnl 1.0.3 released
iptables 1.4.14 released
conntrack-tools 1.2.0 released
libnetfilter_cttimeout 1.0.0 released
libnetfilter_conntrack 1.0.1 released
security notice on conntrack helpers
iptables 1.4.13 released
nfacct 1.0.0 released
libnetfilter_acct 1.0.0 released
conntrack-tools 1.0.1 released
libnetfilter_conntrack 1.0.0 released
libnetfilter_log 1.0.1 released
libnetfilter_queue 1.0.1 released
libmnl 1.0.2 released
iptables 1.4.12.2 released
iptables 1.4.12.1 released
new PGP keys
iptables 1.4.12 released
iptables 1.4.11.1 released
iptables 1.4.11 released
conntrack-tools 1.0.0 released
libnetfilter_conntrack 0.9.1 released
Documentation
FAQ
HOWTOs
Events
Tutorials
Various other docs
Security Information
Mailing Lists
List Rules
netfilter-announce list
netfilter list
netfilter-devel list
netfilter-failover list
Contact
bugzilla
coreteam
webmaster
imprint / postal address
Supporting netfilter
Licensing
Events
Links
Mirrors
About website

Security information by the netfilter project

Security Announcements

Unfortunately, all software has bugs from time to time. Software bugs can really hurt in case the software is security software. In this section we will only cover userspace security problems. For kernel related issues, please refer to Linux kernel changelog files. Anyhow, we keep here old kernel security reports since linux 2.4.x for the record, but do not expect this section to be updated with kernel security issues.

Jun-30-2004: DoS vulnerability in 2.6.x tcp option parser

Original Announcement

This bug is only present in 2.6.x kernels. 2.4.x kernels are definitely not affected.

Aug-01-2003: Connection tracking linked list handling bug

Original Announcement

This bug has appeared only in the 2.4.20 kernel. It is not present in <= 2.4.19 or >= 2.4.21 kernels.

Aug-01-2003: NAT helper SACK DoS

Original Announcement

This bug has been fixed in the 2.4.21 kernel.

May-08-2002: ICMP NAT information leak

Original Announcement

This bug has been fixed in the 2.4.20 (stable), and 2.5.32 (development) kernels.

May-08-2002: ICMP NAT information leak

Original Announcement

This bug has not yet been fixed in any kernel. To work around this bug, either apply the patch provided with the advisory, or use the rule-based workaround as indicated in the advisory.

Feb-25-2002: Bug within the IRC DCC tracking code

Original Announcement

This bug has been fixed in the 2.4.18-pre9 kernel. If you need to run previous kernels, get the following patch.

Jan-20-2002: Connection tracking linked list handling bug

Original Announcement

A change in the semantics of the generic linked list handling code in the linux kernel has affected ingegrity of connection tracking.

This bug has been fixed in the 2.4.11 kernel, and was not present in kernels up to 2.4.9. If you really need to run 2.4.10, get the latest iptables package and use patch-o-matic.

Sep-26-2001: Bug in MAC address matching code of iptables/ip6tables

Original Announcement

This bug has been fixed in the 2.4.11 kernel. If you need to run previous kernels, get the latest iptables package and use patch-o-matic.

Aug-22-2001: Improper use of iptables MIRROR target

Original Announcement

This bug has been fixed in the 2.4.FIXME kernel. If you need to run previous kernels, get the latest iptables package and use patch-o-matic.

Apr-16-2001: Bug in netfilter FTP connection tracking

Original Announcement

This bug has been fixed in the 2.4.4 kernel. If need to run previous kernels, get the latest iptables package and use patch-o-matic.