[Midnightbsd-cvs] [MidnightBSD/src] 5dd9cd: As part of its stateful TCP connection trackin...
Lucas Holt
noreply at github.com
Tue Dec 5 17:31:18 EST 2023
Branch: refs/heads/stable/3.1
Home: https://github.com/MidnightBSD/src
Commit: 5dd9cd0c84fd963e3069e67b4780f86c5f5bdcef
https://github.com/MidnightBSD/src/commit/5dd9cd0c84fd963e3069e67b4780f86c5f5bdcef
Author: Lucas Holt <luke at foolishgames.com>
Date: 2023-12-05 (Tue, 05 Dec 2023)
Changed paths:
M UPDATING
M sys/netpfil/pf/pf.c
Log Message:
-----------
As part of its stateful TCP connection tracking implementation, pf
performs sequence number validation on inbound packets. This makes it
difficult for a would-be attacker to spoof the sender and inject packets
into a TCP stream, since crafted packets must contain sequence numbers
which match the current connection state to avoid being rejected by the
firewall.
A bug in the implementation of sequence number validation means that the
sequence number is not in fact validated, allowing an attacker who is
able to impersonate the remote host and guess the connection's port
numbers to inject packets into the TCP stream.
Obtained from: FreeBSD
More information about the Midnightbsd-cvs
mailing list