[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: (OT kinda) Newly-discovered TCP flaw

On 2016-08-12, Hugo Vanwoerkom <hvw59601@care2.com> wrote:
>>>
>>> If you're relying on HTTP or FTP - you're screwed. If you prefer HTTPS
>>> and SSH - it does not concern you.
>>>
>>> To workaround the problem, use (/etc/sysctl.conf is preferred):
>>>
>>> sysctl -w net.ipv4.tcp_challenge_ack_limit=999999999
>>
>> Thank you very much for this.
>>
>>> To solve the problem you should wait until Debian-provided kernels gain
>>> a backport for CVE-2016-5696.
>>>
>
> And how will one know when to remove this patch? Or rather what effect 
> will it have if it never is removed?

My guess is nothing (will or would happen). Surely the consultation of
your favorite search engine should keep you informed on the evolution of
this affair.

What's ironic is in attempting to throttle the number of challenge acks as a
security measure they opened up the big flaw. Must be one of those moral
lessons hiding in there somewhere.

I am reading (see link below) that "The RFC 5961 spec is implemented in
Linux kernel v 3.6 and later."

http://www.linuxinsider.com/story/83798.html

As I'm running a v 3.2 kernel, I guess I'm actually not concerned by the
matter (or am I)? I applied the patch anyway, as I'm in doubt. 


> Hugo
>
>
>
>


-- 
Même l’avenir n’est plus ce qu’il était. 
Paul Valéry
Reply to: