[arch-general] CVE-2019-11477 (/proc/sys/net/ipv4/tcp_sack)

Levente Polyak anthraxx at archlinux.org
Fri Jun 21 06:44:22 UTC 2019

On 6/21/19 8:25 AM, David C. Rankin wrote:
> After 5.12.1 is there any further mitigation needed for:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
> related:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
>   Suggested work-around:
> echo 0 > /proc/sys/net/ipv4/tcp_sack
>   or
> iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
> Are either needed after latest kernel, or is this resolved?

I guess you mean 5.1.12 as long as you are not a visitor from the future.

5.1.11 was the upstream fix version for the SACK issues, you can use our
Arch Linux specific security tracker to get this information:


which lists all affected and fixed variants/versions.

there have been advisories published on the tracker and via our sec
announcements ML.

So as long as you are running latest kernels, no other mitigation is needed.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190621/e39de665/attachment.sig>

More information about the arch-general mailing list