blob: ba819cf04c676bc827b4b7beb9c27c9ccd516cf6 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Description: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
References:
https://bugzilla.redhat.com/show_bug.cgi?id=2014230
https://lore.kernel.org/stable/YXwNmcIcmOYTRhG2@kroah.com/T/#m0104263473be2806725abb19a30d6288da622898
Notes:
carnil> Backports for 4.19.y and 4.9.y seems incomplete for the time
carnil> beeing and only have the "ipv4: make exception cache less
carnil> predictible" patch.
bwh> Introduced for ipv4 in 3.6 by commit 4895c771c7f0 "ipv4: Add FIB nexthop
bwh> exceptions."
bwh> Introduced For ipv6 in 4.15 by commits 35732d01fe31 "ipv6: introduce a
bwh> hash table to store dst cache" and 2b760fcf5cfb "ipv6: hook up exception
bwh> table to store dst cache".
bwh> So for the 4.9 branches only ipv4 needs to be fixed.
carnil> For 4.19.y additionally required
carnil> ipv4: use siphash instead of Jenkins in fnhe_hashfun()
carnil> ipv6: use siphash in rt6_exception_hash()
carnil> ipv6: make exception cache less predictible
Bugs:
upstream: released (5.14) [4785305c05b25a242e5314cc821f54ade4c18810, 6457378fe796815c973f631a1904e147d6ee33b1], released (5.15-rc1) [a00df2caffed3883c341d5685f830434312e4a43, 67d6d681e15b578c1725bad8ad079e05d1c48a8e]
5.10-upstream-stable: released (5.10.62) ]dced8347a727528b388f04820f48166f1e651af6, beefd5f0c63a31a83bc5a99e6888af884745684b], released (5.10.65) [8692f0bb29927d13a871b198adff1d336a8d2d00, 5867e20e1808acd0c832ddea2587e5ee49813874]
4.19-upstream-stable: released (4.19.207) [3e6bd2b583f18da9856fc9741ffa200a74a52cba], released (4.19.215) [6e2856767eb1a9cfcfcd82136928037f04920e97, ad829847ad59af8e26a1f1c345716099abbc7a58, c6d0d68d6da68159948cad3d808d61bb291a0283]
4.9-upstream-stable: released (4.9.283) [f10ce783bcc4d8ea454563a7d56ae781640e7dcb]
sid: released (5.14.6-1)
5.10-bullseye-security: released (5.10.70-1)
4.19-buster-security: needed
4.9-stretch-security: pending (4.9.290-1)
|
