Kernel updates for TCP SACK vulnerbility

Support for security such as Firewalls and securing linux
Post Reply
mrjovi91
Posts: 1
Joined: 2019/07/04 09:00:08

Kernel updates for TCP SACK vulnerbility

Post by mrjovi91 » 2019/07/04 09:06:26

Hi Support,

Would like to verify if new updates are available that resolve the following recent vulnerabilities and how to apply it:-

1. CVE-2019-11477: SACK Panic
2. CVE-2019-11478: SACK Slowness
3. CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values

Thank you.

Best Regards,
mrjovi91

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernel updates for TCP SACK vulnerbility

Post by TrevorH » 2019/07/04 11:46:47

Yes.

yum update

Code: Select all

$ rpm -q --changelog kernel-3.10.0-957.21.3.el7.x86_64 | head -9
* Mon Jun 17 2019 CentOS Sources <bugs@centos.org> - 3.10.0-957.21.3.el7
- Apply debranding changes

* Fri Jun 14 2019 Jan Stancek <jstancek@redhat.com> [3.10.0-957.21.3.el7]
- [net] tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() (Florian Westphal) [1719914 1719915] {CVE-2019-11479}
- [net] tcp: add tcp_min_snd_mss sysctl (Florian Westphal) [1719914 1719915] {CVE-2019-11479}
- [net] tcp: tcp_fragment() should apply sane memory limits (Florian Westphal) [1719849 1719850] {CVE-2019-11478}
- [net] tcp: limit payload size of sacked skbs (Florian Westphal) [1719594 1719595] {CVE-2019-11477}
- [net] tcp: pass previous skb to tcp_shifted_skb() (Florian Westphal) [1719594 1719595] {CVE-2019-11477}
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply