diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2018-08-14 22:59:35 +0200 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2018-08-14 22:59:35 +0200 |
| commit | f11b904f9c511cb9267d5fa46c422f00c9ef9f93 (patch) | |
| tree | ed9bf5ebb2b5aad40037516bd0eb0c53576574e4 | |
| parent | 9ba5e9a4c6b59e56670c972655b957a7a3f006a0 (diff) | |
Add proposed DSA variant for CVE-2018-5391 only
| -rw-r--r-- | dsa-texts/4.9.110-3+deb9u2 | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/dsa-texts/4.9.110-3+deb9u2 b/dsa-texts/4.9.110-3+deb9u2 new file mode 100644 index 00000000..170b65ed --- /dev/null +++ b/dsa-texts/4.9.110-3+deb9u2 @@ -0,0 +1,24 @@ +Package : linux +CVE ID : CVE-2018-5391 + +CVE-2018-5391 (FragmentSmack) + + Juha-Matti Tilli discovered a flaw in the way the Linux kernel + handled reassembly of fragmented IPv4 and IPv6 packets. A remote + attacker can take advantage of this flaw to trigger time and + calculation expensive fragment reassembly algorithms by sending + specially crafted packets leading to remote denial of service. + +A reboot is not needed to address this issue only. CVE-2018-5391 (aka. +FragmentSmack) can be mitigated by lowering the (default) fragment +memory usage limits values to + + net.ipv4.ipfrag_high_thresh = 262144 + net.ipv6.ip6frag_high_thresh = 262144 + net.ipv4.ipfrag_low_thresh = 196608 + net.ipv6.ip6frag_low_thresh = 196608 + +or below, and which can still can be increased in circumstances where +needed. + +stretch: 4.9.110-3+deb9u2 |