On 6/21/19 8:25 AM, David C. Rankin wrote:
After 5.12.1 is there any further mitigation needed for:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
related:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
Suggested work-around:
echo 0 > /proc/sys/net/ipv4/tcp_sack
or
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
Are either needed after latest kernel, or is this resolved?
I guess you mean 5.1.12 as long as you are not a visitor from the future. 5.1.11 was the upstream fix version for the SACK issues, you can use our Arch Linux specific security tracker to get this information: https://security.archlinux.org/CVE-2019-11477 https://security.archlinux.org/CVE-2019-11478 https://security.archlinux.org/CVE-2019-11479 which lists all affected and fixed variants/versions. there have been advisories published on the tracker and via our sec announcements ML. So as long as you are running latest kernels, no other mitigation is needed. cheers, Levente