Re: [SECURITY] [DSA 4272-1] linux security update
On Wed, Aug 15, 2018 at 04:02:59PM +0200, Matus UHLAR - fantomas wrote:
> On 14.08.18 21:52, Salvatore Bonaccorso wrote:
> > CVE-2018-5391 (FragmentSmack)
> > Juha-Matti Tilli discovered a flaw in the way the Linux kernel
> > handled reassembly of fragmented IPv4 and IPv6 packets. A remote
> > attacker can take advantage of this flaw to trigger time and
> > calculation expensive fragment reassembly algorithms by sending
> > specially crafted packets, leading to remote denial of service.
> > This is mitigated by reducing the default limits on memory usage
> > for incomplete fragmented packets. The same mitigation can be
> > achieved without the need to reboot, by setting the sysctls:
> > net.ipv4.ipfrag_high_thresh = 262144
> > net.ipv6.ip6frag_high_thresh = 262144
> > net.ipv4.ipfrag_low_thresh = 196608
> > net.ipv6.ip6frag_low_thresh = 196608
> It seems that the thresholds should be applied in reverse order, the stretch
> kernel complains if we try to shring the high threshold below the low one
> (and is probably right).
Yes that's right. I have fixed this information/listing in the
webversion of the DSA, but cannot be fixed for the sent mail.
I asked debian-www team if the listing can be improved there.