ip6_tables in netfilter in the Linux kernel before 220.127.116.11 allows remote
attackers to (1) bypass a rule that disallows a protocol, via a packet with
the protocol header not located immediately after the fragment header, aka
"ip6_tables protocol bypass bug;" and (2) bypass a rule that looks for a
certain extension header, via a packet with an extension header outside the
first fragment, aka "ip6_tables extension header bypass bug."
Updated: 2016-03-23 03:27:28 UTC (commit 10817)