From c4610804844059b8ee20f8b65f2b790ecc3912b9 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 17 Jun 2019 16:21:18 +0100 Subject: dsa-texts/4.9.168-1+deb9u3: Recommend a value for net.ipv4.tcp_min_snd_mss * RFC 791 says that all IPv4 hosts must be able to receive (possibly fragmented) datagrams up to 576 bytes, which implies a TCP MSS of 536 * RFC 1122 says that the default TCP MSS (if no options are given) is 536 * In practice most IPv4 connections have PMTU of at least 1400, implying a TCP MSS of at least 1360 So setting the minimum to 536 should be broadly compatible. It is also said that 500 is enough to avoid the denial-of-service attack. --- dsa-texts/4.9.168-1+deb9u3 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'dsa-texts/4.9.168-1+deb9u3') diff --git a/dsa-texts/4.9.168-1+deb9u3 b/dsa-texts/4.9.168-1+deb9u3 index 187169dc..4a039d46 100644 --- a/dsa-texts/4.9.168-1+deb9u3 +++ b/dsa-texts/4.9.168-1+deb9u3 @@ -51,9 +51,9 @@ CVE-2019-11479 bandwidth required to deliver the same amount of data. This update introduces a new sysctl value to control the minimal MSS - (net.ipv4.tcp_min_snd_mss) which by default uses the formerly hard- - coded value of '48'. To fully protect your systems you need to raise - this setting to a value which fits your local network requirements. + (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard- + coded value of 48. We recommend raising this to 536 unless you know + that your network requires a lower value. CVE-2019-11486 -- cgit v1.2.3