Clearer explanation for CVE-2018-5391

author: Ben Hutchings <ben@decadent.org.uk> 2018-08-14 22:11:11 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2018-08-14 22:13:26 +0100
commit: 60e16a1fd033a1f6cc987926efcc4b4cb30b82d1 (patch)
tree: 9b9d3258fe856db367dce27b97f128d053cdac64 /dsa-texts/4.9.110-3+deb9u2
parent: f44f7ae6d90cc292ce91bd6b84f4296ed40b0dee (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/dsa-texts/4.9.110-3+deb9u2 b/dsa-texts/4.9.110-3+deb9u2
index aff52495c..092084bdc 100644
--- a/dsa-texts/4.9.110-3+deb9u2
+++ b/dsa-texts/4.9.110-3+deb9u2
@@ -9,16 +9,16 @@ CVE-2018-5391 (FragmentSmack)
     calculation expensive fragment reassembly algorithms by sending
     specially crafted packets, leading to remote denial of service.
 
-A reboot is not needed to address this issue only. CVE-2018-5391 (aka.
-FragmentSmack) can be mitigated by lowering the (default) fragment
-memory usage limits values to
+    This is mitigated by reducing the default limits on memory usage
+    for incomplete fragmented packets.  The same mitigation can be
+    achieved without the need to reboot, by setting the sysctls:
 
     net.ipv4.ipfrag_high_thresh = 262144
     net.ipv6.ip6frag_high_thresh = 262144
     net.ipv4.ipfrag_low_thresh = 196608
     net.ipv6.ip6frag_low_thresh = 196608
 
-or below, and which can still can be increased in circumstances where
-needed.
+    The default values may still be increased by local configuration
+    if necessary.
 
 stretch: 4.9.110-3+deb9u2
author	Ben Hutchings <ben@decadent.org.uk>	2018-08-14 22:11:11 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2018-08-14 22:13:26 +0100
commit	60e16a1fd033a1f6cc987926efcc4b4cb30b82d1 (patch)
tree	9b9d3258fe856db367dce27b97f128d053cdac64 /dsa-texts/4.9.110-3+deb9u2
parent	f44f7ae6d90cc292ce91bd6b84f4296ed40b0dee (diff)