[arch-general] CVE-2019-11477 (/proc/sys/net/ipv4/tcp_sack)
anthraxx at archlinux.org
Fri Jun 21 06:44:22 UTC 2019
On 6/21/19 8:25 AM, David C. Rankin wrote:
> After 5.12.1 is there any further mitigation needed for:
> Suggested work-around:
> echo 0 > /proc/sys/net/ipv4/tcp_sack
> iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
> Are either needed after latest kernel, or is this resolved?
I guess you mean 5.1.12 as long as you are not a visitor from the future.
5.1.11 was the upstream fix version for the SACK issues, you can use our
Arch Linux specific security tracker to get this information:
which lists all affected and fixed variants/versions.
there have been advisories published on the tracker and via our sec
So as long as you are running latest kernels, no other mitigation is needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-general