ip6_tables in netfilter in the Linux kernel before 22.214.171.124 allows remote
attackers to (1) bypass a rule that disallows a protocol, via a packet with
the protocol header not located immediately after the fragment header, aka
"ip6_tables protocol bypass bug;" and (2) bypass a rule that looks for a
certain extension header, via a packet with an extension header outside the
first fragment, aka "ip6_tables extension header bypass bug."
Updated: 2015-10-17 03:26:33 UTC (commit 10086)