Re: Any idea when CVE-2016-5696 is going to get fixed?

["Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>]

On Sun, 28 Aug 2016 14:35:01 +0200
Frederic Marchal <frederic.marchal@wowtechnology.com> wrote:

> The attack is also useless if the attacker can't spoof the source IP 
> address. Routers in corporate environments usually block this by design or 
> due to VLAN. For that reason, the attack can't come from the same LAN to 
> bypass the border firewall. This rules out an unhappy coworker, infected 
> computer or a student with too much time on his hands.

This is the first and foremost requirement. If the packets' source address cannot be spoofed, the attack cannot be attempted.

I'm less concerned with how many sites/protocols are vulnerable than I am with how many ISPs allow spoofed packets out of their networks. It should be trivial for any ISP to drop packets that, given the source address, could not have originated within its network.

In fact, I'd go so far as to say that no ISP should be allowed to connect to the internet unless solid anti-spoofing measures are in place.

The CVE may be primarily of academic interest, but it is still a vulnerability that must be addressed. And the Debian crew will address it soon enough.