diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2018-08-14 22:11:11 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2018-08-14 22:13:26 +0100 |
commit | 60e16a1fd033a1f6cc987926efcc4b4cb30b82d1 (patch) | |
tree | 9b9d3258fe856db367dce27b97f128d053cdac64 /dsa-texts/4.9.110-3+deb9u2 | |
parent | f44f7ae6d90cc292ce91bd6b84f4296ed40b0dee (diff) |
Clearer explanation for CVE-2018-5391
Diffstat (limited to 'dsa-texts/4.9.110-3+deb9u2')
-rw-r--r-- | dsa-texts/4.9.110-3+deb9u2 | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/dsa-texts/4.9.110-3+deb9u2 b/dsa-texts/4.9.110-3+deb9u2 index aff52495c..092084bdc 100644 --- a/dsa-texts/4.9.110-3+deb9u2 +++ b/dsa-texts/4.9.110-3+deb9u2 @@ -9,16 +9,16 @@ CVE-2018-5391 (FragmentSmack) calculation expensive fragment reassembly algorithms by sending specially crafted packets, leading to remote denial of service. -A reboot is not needed to address this issue only. CVE-2018-5391 (aka. -FragmentSmack) can be mitigated by lowering the (default) fragment -memory usage limits values to + This is mitigated by reducing the default limits on memory usage + for incomplete fragmented packets. The same mitigation can be + achieved without the need to reboot, by setting the sysctls: net.ipv4.ipfrag_high_thresh = 262144 net.ipv6.ip6frag_high_thresh = 262144 net.ipv4.ipfrag_low_thresh = 196608 net.ipv6.ip6frag_low_thresh = 196608 -or below, and which can still can be increased in circumstances where -needed. + The default values may still be increased by local configuration + if necessary. stretch: 4.9.110-3+deb9u2 |