[arch-general] CVE-2019-11477 (/proc/sys/net/ipv4/tcp_sack)
Levente Polyak
anthraxx at archlinux.org
Fri Jun 21 06:44:22 UTC 2019
On 6/21/19 8:25 AM, David C. Rankin wrote:
> After 5.12.1 is there any further mitigation needed for:
>
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
>
> related:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
>
> Suggested work-around:
>
> echo 0 > /proc/sys/net/ipv4/tcp_sack
>
> or
>
> iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
>
> Are either needed after latest kernel, or is this resolved?
>
I guess you mean 5.1.12 as long as you are not a visitor from the future.
5.1.11 was the upstream fix version for the SACK issues, you can use our
Arch Linux specific security tracker to get this information:
https://security.archlinux.org/CVE-2019-11477
https://security.archlinux.org/CVE-2019-11478
https://security.archlinux.org/CVE-2019-11479
which lists all affected and fixed variants/versions.
there have been advisories published on the tracker and via our sec
announcements ML.
So as long as you are running latest kernels, no other mitigation is needed.
cheers,
Levente
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190621/e39de665/attachment.sig>
More information about the arch-general
mailing list