CVE-ID

CVE-1999-0216

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
Denial of service of inetd on Linux through SYN and RST packets.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
  • BUGTRAQ:19971130 Linux inetd..
  • XF:linux-inetd-dos
  • HP:HPSBUX9803-077
  • XF:hp-inetd
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (19991203-01)
Votes (Legacy)
ACCEPT(1) Hill
MODIFY(2) Baker, Frech
RECAST(1) Meunier
Comments (Legacy)
 Meunier> The location of the vulnerability, whether in the Linux kernel or the
   application, is debatable.  Any program making the same (reasonnable)
   assumption is vulnerable, i.e., implements the same vulnerability:
   "Assumption that TCP-three-way handshake is complete after calling Linux
   kernel function accept(), which returns socket after getting SYN.   Result
   is process death by SIGPIPE"
   Moreover, whether it results in DOS (to third parties) depends on the
   process that made the assumption.
   I think that the present entry should be split, one entry for every
   application that implements the vulnerability (really describing threat
   instances, which is what other people think about when we talk about
   vulnerabilities), and one entry for the Linux kernel that allows the
   vulnerability to happen.
 Frech> XF:hp-inetd
   XF:linux-inetd-dos
 Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it?  It applies to mulitple OS and should be likely either modified, or in extreme case, recast

Proposed (Legacy)
19990630
This is an entry on the CVE list, which standardizes names for security problems.