On 6/20/19 6:00 PM, David C. Rankin wrote:
All,
Anyone know whether there is a planned fix for:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
related:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
Suggested work-around:
echo 0 > /proc/sys/net/ipv4/tcp_sack
(default is 1)
From El Reg:
With CVE-2019-11477, a string of TCP SACK responses will cause the Linux kernel to unexpectedly hit an internal data structure limit, triggering a fatal panic. The others affecting Linux will force the system to consume resources, thus slowing it down, as Red Hat explained in its technical summary (https://access.redhat.com/security/vulnerabilities/tcpsack) today.
The SUSE site recommended this as one option, until the kernel is updated: iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP I tried it and it doesn't seem to have broken anything yet. I read somewhere that turning off tcp_sack has network performance issues. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org