Hi Support,
Would like to verify if new updates are available that resolve the following recent vulnerabilities and how to apply it:-
1. CVE-2019-11477: SACK Panic
2. CVE-2019-11478: SACK Slowness
3. CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values
Thank you.
Best Regards,
mrjovi91
Kernel updates for TCP SACK vulnerbility
Re: Kernel updates for TCP SACK vulnerbility
Yes.
yum update
yum update
Code: Select all
$ rpm -q --changelog kernel-3.10.0-957.21.3.el7.x86_64 | head -9
* Mon Jun 17 2019 CentOS Sources <bugs@centos.org> - 3.10.0-957.21.3.el7
- Apply debranding changes
* Fri Jun 14 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.21.3.el7]
- [net] tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() (Florian Westphal) [1719914 1719915] {CVE-2019-11479}
- [net] tcp: add tcp_min_snd_mss sysctl (Florian Westphal) [1719914 1719915] {CVE-2019-11479}
- [net] tcp: tcp_fragment() should apply sane memory limits (Florian Westphal) [1719849 1719850] {CVE-2019-11478}
- [net] tcp: limit payload size of sacked skbs (Florian Westphal) [1719594 1719595] {CVE-2019-11477}
- [net] tcp: pass previous skb to tcp_shifted_skb() (Florian Westphal) [1719594 1719595] {CVE-2019-11477}
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke