[arch-general] CVE-2019-11477 (/proc/sys/net/ipv4/tcp_sack) - Arch-general - lists.archlinux.org

newer
[arch-general] journalctl -...

[arch-general] CVE-2019-11477 (/proc/sys/net/ipv4/tcp_sack)

older
[arch-general] package contents on...

David C. Rankin

21 Jun 2019 21 Jun '19

6:25 a.m.

After 5.12.1 is there any further mitigation needed for: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477 related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479 Suggested work-around: echo 0 > /proc/sys/net/ipv4/tcp_sack or iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP Are either needed after latest kernel, or is this resolved? -- David C. Rankin, J.D.,P.E.

Show replies by date

Levente Polyak

21 Jun 21 Jun

6:44 a.m.

On 6/21/19 8:25 AM, David C. Rankin wrote:

After 5.12.1 is there any further mitigation needed for:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477

related:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479

Suggested work-around:

echo 0 > /proc/sys/net/ipv4/tcp_sack

or

iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

Are either needed after latest kernel, or is this resolved?

I guess you mean 5.1.12 as long as you are not a visitor from the future. 5.1.11 was the upstream fix version for the SACK issues, you can use our Arch Linux specific security tracker to get this information: https://security.archlinux.org/CVE-2019-11477 https://security.archlinux.org/CVE-2019-11478 https://security.archlinux.org/CVE-2019-11479 which lists all affected and fixed variants/versions. there have been advisories published on the tracker and via our sec announcements ML. So as long as you are running latest kernels, no other mitigation is needed. cheers, Levente

David C. Rankin

22 Jun 22 Jun

6:31 a.m.

On 06/21/2019 01:44 AM, Levente Polyak via arch-general wrote:

I guess you mean 5.1.12 as long as you are not a visitor from the future.

5.1.11 was the upstream fix version for the SACK issues, you can use our Arch Linux specific security tracker to get this information:

https://security.archlinux.org/CVE-2019-11477 https://security.archlinux.org/CVE-2019-11478 https://security.archlinux.org/CVE-2019-11479

which lists all affected and fixed variants/versions.

there have been advisories published on the tracker and via our sec announcements ML.

So as long as you are running latest kernels, no other mitigation is needed.

cheers, Levente

Thank you Levente Not from the future, just a notorious bass-ackwards typist. Perhaps a dumb question, but where would I find (other than the security.archlinux.org page the cross-reference that tells me CVE-XXX is in group, e.g. AVG-986? -- David C. Rankin, J.D.,P.E.

2015

Age (days ago)

2016

Last active (days ago)

Download

2 comments

2 participants

tags

participants (2)

David C. Rankin
Levente Polyak