[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 4272-1] linux security update

Hi,

On Wed, Aug 15, 2018 at 04:02:59PM +0200, Matus UHLAR - fantomas wrote:
> Hello,
> 
> On 14.08.18 21:52, Salvatore Bonaccorso wrote:
> > CVE-2018-5391 (FragmentSmack)
> > 
> >    Juha-Matti Tilli discovered a flaw in the way the Linux kernel
> >    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
> >    attacker can take advantage of this flaw to trigger time and
> >    calculation expensive fragment reassembly algorithms by sending
> >    specially crafted packets, leading to remote denial of service.
> > 
> >    This is mitigated by reducing the default limits on memory usage
> >    for incomplete fragmented packets.  The same mitigation can be
> >    achieved without the need to reboot, by setting the sysctls:
> > 
> >    net.ipv4.ipfrag_high_thresh = 262144
> >    net.ipv6.ip6frag_high_thresh = 262144
> >    net.ipv4.ipfrag_low_thresh = 196608
> >    net.ipv6.ip6frag_low_thresh = 196608
> 
> It seems that the thresholds should be applied in reverse order, the stretch
> kernel complains if we try to shring the high threshold below the low one
> (and is probably right).

Yes that's right. I have fixed this information/listing in the
webversion of the DSA, but cannot be fixed for the sent mail.
I asked debian-www team if the listing can be improved there.

Regards,
Salvatore
Reply to: