-
Notifications
You must be signed in to change notification settings - Fork 0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Lokal funktionierte es ohne |
Several security issues are fixed as well new features added. Please note the change below in OpenSSH 6.8. > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. It should be set to `yes` in our setup again. Everybody should start using the ED25519 [1]. ``` $ ssh-keygen -t ed25519 ``` Additionally, the new host keys should be generated with `ssh-keygen -A`. The utility `ssh-copy-id` and meta files are installed now, according to the Linux from Scratch documentation [3]. [1] http://www.openssh.com/txt/release-6.8 [2] https://de.wikipedia.org/wiki/Curve25519 [3] http://www.linuxfromscratch.org/blfs/view/7.9/postlfs/openssh.html
Keine spontanten Einwände LIBEXECDIR=/usr/lib/openssh könnte bei Gelegenheit auch raus. Ich weiß nicht, warum es bei uns üblich war, /usr/libexec zu /usr/lib umzubiegen, das war sogar mal im bee ein default, aber das habe ich auch vor einiger Zeit entfernt. Siehe https://github.molgen.mpg.de/donald/bee/commit/71d195d1e28be8ef403a4ebcb3b6a7d6744a8a31 |
donald
added a commit
that referenced
this pull request
May 29, 2017
Update to latest available version before investigating further into the heap corruption problem. #1 0x00007f7685167748 in __GI_abort () at abort.c:89 #2 0x00007f76851a967d in __malloc_assert (assertion=assertion@entry=0x7f7685299470 "(unsigned long) (size) >= (unsigned long) (nb)", file=file@entry=0x7f7685295065 "malloc.c", line=line@entry=3692, function=function@entry=0x7f76852953ed <__func__.11515> "_int_malloc") at malloc.c:293 #3 0x00007f76851ac51a in _int_malloc (av=av@entry=0x7f7648000020, bytes=bytes@entry=2049) at malloc.c:3692 #4 0x00007f76851acbe1 in _int_realloc (av=av@entry=0x7f7648000020, oldp=oldp@entry=0x7f76480019a0, oldsize=oldsize@entry=1040, nb=nb@entry=2064) at malloc.c:4283 #5 0x00007f76851add19 in __GI___libc_realloc (oldmem=0x7f76480019b0, bytes=2049) at malloc.c:3026 #6 0x000055a920baef28 in set_tsd_user_vars () #7 0x000055a920b9d2b4 in ?? () #8 0x00007f76863a9191 in start_thread (arg=0x7f767c1de700) at pthread_create.c:309 #9 0x00007f768521930d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
pmenzel
added a commit
that referenced
this pull request
Oct 3, 2017
Release notes [1]: > Release 3.13.0 (15 June 2017) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 3.13.0 is a feature release with many improvements and the usual collection of > bug fixes. > > This release supports X86/Linux, AMD64/Linux, ARM32/Linux, ARM64/Linux, > PPC32/Linux, PPC64BE/Linux, PPC64LE/Linux, S390X/Linux, MIPS32/Linux, > MIPS64/Linux, ARM/Android, ARM64/Android, MIPS32/Android, X86/Android, > X86/Solaris, AMD64/Solaris and AMD64/MacOSX 10.12. > > * ==================== CORE CHANGES =================== > > * The translation cache size has been increased to keep up with the demands of > large applications. The maximum number of sectors has increased from 24 to > 48. The default number of sectors has increased from 16 to 32 on all > targets except Android, where the increase is from 6 to 12. > > * The amount of memory that Valgrind can use has been increased from 64GB to > 128GB. In particular this means your application can allocate up to about > 60GB when running on Memcheck. > > * Valgrind's default load address has been changed from 0x3800'0000 to > 0x5800'0000, so as to make it possible to load larger executables. This > should make it possible to load executables of size at least 1200MB. > > * A massive spaceleak caused by reading compressed debuginfo files has been > fixed. Valgrind should now be entirely usable with gcc-7.0 "-gz" created > debuginfo. > > * The C++ demangler has been updated. > > * Support for demangling Rust symbols has been added. > > * A new representation of stack traces, the "XTree", has been added. An XTree > is a tree of stacktraces with data associated with the stacktraces. This is > used by various tools (Memcheck, Helgrind, Massif) to report on the heap > consumption of your program. Reporting is controlled by the new options > --xtree-memory=none|allocs|full and --xtree-memory-file=<file>. > > A report can also be produced on demand using the gdbserver monitor command > 'xtmemory [<filename>]>'. The XTree can be output in 2 formats: 'callgrind > format' and 'massif format. The existing visualisers for these formats (e.g. > callgrind_annotate, KCachegrind, ms_print) can be used to visualise and > analyse these reports. > > Memcheck can also produce XTree leak reports using the Callgrind file > format. For more details, see the user manual. > > * ================== PLATFORM CHANGES ================= > > * ppc64: support for ISA 3.0B and various fixes for existing 3.0 support > > * amd64: fixes for JIT failure problems on long AVX2 code blocks > > * amd64 and x86: support for CET prefixes has been added > > * arm32: a few missing ARMv8 instructions have been implemented > > * arm64, mips64, mips32: an alternative implementation of Load-Linked and > Store-Conditional instructions has been added. This is to deal with > processor implementations that implement the LL/SC specifications strictly > and as a result cause Valgrind to hang in certain situations. The > alternative implementation is automatically enabled at startup, as required. > You can use the option --sim-hints=fallback-llsc to force-enable it if you > want. > > * Support for OSX 10.12 has been improved. > > * On Linux, clone handling has been improved to honour CLONE_VFORK that > involves a child stack. Note however that CLONE_VFORK | CLONE_VM is handled > like CLONE_VFORK (by removing CLONE_VM), so applications that depend on > CLONE_VM exact semantics will (still) not work. > > * The TileGX/Linux port has been removed because it appears to be both unused > and unsupported. > > * ==================== TOOL CHANGES ==================== > > * Memcheck: > > - Memcheck should give fewer false positives when running optimised > Clang/LLVM generated code. > > - Support for --xtree-memory and 'xtmemory [<filename>]>'. > > - New command line options --xtree-leak=no|yes and --xtree-leak-file=<file> > to produce the end of execution leak report in a xtree callgrind format > file. > > - New option 'xtleak' in the memcheck leak_check monitor command, to produce > the leak report in an xtree file. > > * Massif: > > - Support for --xtree-memory and 'xtmemory [<filename>]>'. > > - For some workloads (typically, for big applications), Massif memory > consumption and CPU consumption has decreased significantly. > > * Helgrind: > > - Support for --xtree-memory and 'xtmemory [<filename>]>'. > > - addition of client request VALGRIND_HG_GNAT_DEPENDENT_MASTER_JOIN, useful > for Ada gnat compiled applications. > > * ==================== OTHER CHANGES ==================== > > * For Valgrind developers: in an outer/inner setup, the outer Valgrind will > append the inner guest stacktrace to the inner host stacktrace. This helps > to investigate the errors reported by the outer, when they are caused by the > inner guest program (such as an inner regtest). See README_DEVELOPERS for > more info. > > * To allow fast detection of callgrind files by desktop environments and file > managers, the format was extended to have an optional first line that > uniquely identifies the format ("# callgrind format"). Callgrind creates > this line now, as does the new xtree functionality. > > * File name template arguments (such as --log-file, --xtree-memory-file, ...) > have a new %n format letter that is replaced by a sequence number. > > * "--version -v" now shows the SVN revision numbers from which Valgrind was > built. > > * ==================== FIXED BUGS ==================== > > The following bugs have been fixed or resolved. Note that "n-i-bz" > stands for "not in bugzilla" -- that is, a bug that was reported to us > but never got a bugzilla entry. We encourage you to file bugs in > bugzilla (https://bugs.kde.org/enter_bug.cgi?product=valgrind) rather > than mailing the developers (or mailing lists) directly -- bugs that > are not entered into bugzilla tend to get forgotten about or ignored. > > To see details of a given bug, visit > https://bugs.kde.org/show_bug.cgi?id=XXXXXX > where XXXXXX is the bug number as listed below. > > 162848 --log-file output isn't split when a program forks > 340777 Illegal instruction on mips (ar71xx) > 341481 MIPS64: Iop_CmpNE32 triggers false warning on MIPS64 platforms > 342040 Valgrind mishandles clone with CLONE_VFORK | CLONE_VM that clones > to a different stack. > 344139 x86 stack-seg overrides, needed by the Wine people > 344524 store conditional of guest applications always fail - observed on > Octeon3(MIPS) > 348616 Wine/valgrind: noted but unhandled ioctl 0x5390 [..] (DVD_READ_STRUCT) > 352395 Please provide SVN revision info in --version -v > 352767 Wine/valgrind: noted but unhandled ioctl 0x5307 [..] (CDROMSTOP) > 356374 Assertion 'DRD_(g_threadinfo)[tid].pt_threadid != > INVALID_POSIX_THREADID' failed > 358213 helgrind/drd bar_bad testcase hangs or crashes with new glibc pthread > barrier implementation > 358697 valgrind.h: Some code remains even when defining NVALGRIND > 359202 Add musl libc configure/compile > 360415 amd64 instructions ADCX and ADOX are not implemented in VEX > == 372828 (vex amd64->IR: 0x66 0xF 0x3A 0x62 0x4A 0x10) > 360429 unhandled ioctl 0x530d with no size/direction hints (CDROMREADMODE1) > 362223 assertion failed when .valgrindrc is a directory instead of a file > 367543 bt/btc/btr/bts x86/x86_64 instructions are poorly-handled wrt flags > 367942 Segfault vgPlain_do_sys_sigaction (m_signals.c:1138) > 368507 can't malloc chunks larger than about 34GB > 368529 Android arm target link error, missing atexit and pthread_atfork > 368863 WARNING: unhandled arm64-linux syscall: 100 (get_robust_list) > 368865 WARNING: unhandled arm64-linux syscall: 272 (kcmp) > 368868 disInstr(arm64): unhandled instruction 0xD53BE000 = cntfrq_el0 (ARMv8) > 368917 WARNING: unhandled arm64-linux syscall: 218 (request_key) > 368918 WARNING: unhandled arm64-linux syscall: 127 (sched_rr_get_interval) > 368922 WARNING: unhandled arm64-linux syscall: 161 (sethostname) > 368924 WARNING: unhandled arm64-linux syscall: 84 (sync_file_range) > 368925 WARNING: unhandled arm64-linux syscall: 130 (tkill) > 368926 WARNING: unhandled arm64-linux syscall: 97 (unshare) > 369459 valgrind on arm64 violates the ARMv8 spec (ldxr/stxr) > 370028 Reduce the number of compiler warnings on MIPS platforms > 370635 arm64 missing syscall getcpu > 371225 Fix order of timer_{gettime,getoverrun,settime} syscalls on arm64 > 371227 Clean AArch64 syscall table > 371412 Rename wrap_sys_shmat to sys_shmat like other wrappers > 371471 Valgrind complains about non legit memory leaks on placement new (C++) > 371491 handleAddrOverrides() is [incorrect] when ASO prefix is used > 371503 disInstr(arm64): unhandled instruction 0xF89F0000 > 371869 support '%' in symbol Z-encoding > 371916 execution tree xtree concept > 372120 c++ demangler demangles symbols which are not c++ > 372185 Support of valgrind on ARMv8 with 32 bit executable > 372188 vex amd64->IR: 0x66 0xF 0x3A 0x62 0x4A 0x10 0x10 0x48 (PCMPxSTRx $0x10) > 372195 Power PC, xxsel instruction is not always recognized. > 372504 Hanging on exit_group > 372600 process loops forever when fatal signals are arriving quickly > 372794 LibVEX (arm32 front end): 'Assertion szBlg2 <= 3' failed > 373046 Stacks registered by core are never deregistered > 373069 memcheck/tests/leak_cpp_interior fails with GCC 5.1+ > 373086 Implement additional Xen hypercalls > 373192 Calling posix_spawn in glibc 2.24 completely broken > 373488 Support for fanotify API on ARM64 architecture > == 368864 WARNING: unhandled arm64-linux syscall: 262 (fanotify_init) > 373555 Rename BBPTR to GSPTR as it denotes guest state pointer only > 373938 const IRExpr arguments for matchIRExpr() > 374719 some spelling fixes > 374963 increase valgrind's load address to prevent mmap failure > 375514 valgrind_get_tls_addr() does not work in case of static TLS > 375772 +1 error in get_elf_symbol_info() when computing value of 'hi' address > for ML_(find_rx_mapping)() > 375806 Test helgrind/tests/tc22_exit_w_lock fails with glibc 2.24 > 375839 Temporary storage exhausted, with long sequence of vfmadd231ps insns > == 377159 "vex: the `impossible' happened" still present > == 375150 Assertion 'tres.status == VexTransOK' failed > == 378068 valgrind crashes on AVX2 function in FFmpeg > 376142 Segfaults on MIPS Cavium Octeon boards > 376279 disInstr(arm64): unhandled instruction 0xD50320FF > 376455 Solaris: unhandled syscall lgrpsys(180) > 376518 Solaris: unhandled fast trap getlgrp(6) > 376611 ppc64 and arm64 don't know about prlimit64 syscall > 376729 PPC64, remove R2 from the clobber list > == 371668 > 376956 syswrap of SNDDRV and DRM_IOCTL_VERSION causing some addresses > to be wrongly marked as addressable > 377066 Some Valgrind unit tests fail to compile on Ubuntu 16.10 with > PIE enabled by default > 377376 memcheck/tests/linux/getregset fails with glibc2.24 > 377427 PPC64, lxv instruction failing on odd destination register > 377478 PPC64: ISA 3.0 setup fixes > 377698 Missing memory check for futex() uaddr arg for FUTEX_WAKE > and FUTEX_WAKE_BITSET, check only 4 args for FUTEX_WAKE_BITSET, > and 2 args for FUTEX_TRYLOCK_PI > 377717 Fix massive space leak when reading compressed debuginfo sections > 377891 Update Xen 4.6 domctl wrappers > 377930 fcntl syscall wrapper is missing flock structure check > 378524 libvexmultiarch_test regression on s390x and ppc64 > 378535 Valgrind reports INTERNAL ERROR in execve syscall wrapper > 378673 Update libiberty demangler > 378931 Add ISA 3.0B additional isnstructions, add OV32, CA32 setting support > 379039 syscall wrapper for prctl(PR_SET_NAME) must not check more than 16 bytes > 379094 Valgrind reports INTERNAL ERROR in rt_sigsuspend syscall wrapper > 379371 UNKNOWN task message [id 3444, to mach_task_self(), reply 0x603] > (task_register_dyld_image_infos) > 379372 UNKNOWN task message [id 3447, to mach_task_self(), reply 0x603] > (task_register_dyld_shared_cache_image_info) > 379390 unhandled syscall: mach:70 (host_create_mach_voucher_trap) > 379473 MIPS: add support for rdhwr cycle counter register > 379504 remove TileGX/Linux port > 379525 Support more x86 nop opcodes > 379838 disAMode(x86): not an addr! > 379703 PC ISA 3.0 fixes: stxvx, stxv, xscmpexpdp instructions > 379890 arm: unhandled instruction: 0xEBAD 0x1B05 (sub.w fp, sp, r5, lsl #4) > 379895 clock_gettime does not execute POST syscall wrapper > 379925 PPC64, mtffs does not set the FPCC and C bits in the FPSCR correctly > 379966 WARNING: unhandled amd64-linux syscall: 313 (finit_module) > 380200 xtree generated callgrind files refer to files without directory name > 380202 Assertion failure for cache line size (cls == 64) on aarch64. > 380397 s390x: __GI_strcspn() replacement needed > n-i-bz Fix pub_tool_basics.h build issue with g++ 4.4.7. > > (3.13.0.RC1: 2 June 2017, vex r3386, valgrind r16434) > (3.13.0.RC2: 9 June 2017, vex r3389, valgrind r16443) > (3.13.0: 14 June 2017, vex r3396, valgrind r16446) [1] http://valgrind.org/docs/manual/dist.news.html
pmenzel
added a commit
that referenced
this pull request
Dec 19, 2017
From [1]: > Optional patch: > http://www.linuxfromscratch.org/patches/blfs/7.10/wireshark-2.0.5-lua_5_3_1-1.patch > (allows building the LUA bindings if Lua-5.3.3 is installed and LUA is > not disabled by passing --without-lua to configure) Applies with a little offset. ``` [BEE] patch -N -p1 -i /dev/shm/bee-root/wireshark/files/wireshark-2.0.5-lua_5_3_1-1.patch patching file configure Hunk #1 succeeded at 38870 (offset 1275 lines). Hunk #2 succeeded at 38974 (offset 1275 lines). Hunk #3 succeeded at 38998 (offset 1275 lines). Hunk #4 succeeded at 39022 (offset 1275 lines). patching file epan/wslua/lua_bitop.c patching file epan/wslua/wslua_byte_array.c patching file epan/wslua/wslua_file.c Hunk #1 succeeded at 347 (offset 10 lines). patching file epan/wslua/wslua.h patching file epan/wslua/wslua_int64.c patching file epan/wslua/wslua_internals.c patching file epan/wslua/wslua_listener.c patching file epan/wslua/wslua_nstime.c patching file epan/wslua/wslua_struct.c patching file epan/wslua/wslua_tvb.c Hunk #3 succeeded at 223 (offset -1 lines). Hunk #4 succeeded at 241 (offset -1 lines). Hunk #5 succeeded at 836 (offset -1 lines). Hunk #6 succeeded at 917 (offset -1 lines). Hunk #7 succeeded at 961 (offset -1 lines). Hunk #8 succeeded at 1008 (offset -1 lines). Hunk #9 succeeded at 1108 (offset -1 lines). ``` With this patch, `Use Lua library : yes` is seen in the configure option summary. [1] http://www.linuxfromscratch.org/blfs/view/7.10/basicnet/wireshark.html
pmenzel
added a commit
that referenced
this pull request
Jun 18, 2019
This fixes *Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service issues* [1]. > Netflix has identified several TCP networking vulnerabilities in FreeBSD > and Linux kernels. > > The vulnerabilities specifically relate to the minimum segment size (MSS) > and TCP Selective Acknowledgement (SACK) capabilities. The most serious, > dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent > Linux kernels. > > There are patches that address most of these vulnerabilities. If patches > can not be applied, certain mitigations will be effective. We recommend > that affected parties enact one of those described below, based on their > environment. > > #1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29) > > Description: A sequence of SACKs may be crafted such that one can trigger > an integer overflow, leading to a kernel panic. > > Fix: Apply the attached patch (“PATCH_net_1_4.patch”). Additionally, > versions of the Linux kernel up to, and including, 4.14 require a second > patch (“PATCH_net_1a.patch”). > > Workaround #1: Block connections with a low MSS using one of the attached > filters. (The values in the filters are examples. You can apply a higher or > lower limit, as appropriate for your environment.) Note that these filters > may break legitimate connections which rely on a low MSS. Also, note that > this mitigation is only effective if TCP probing is disabled (that is, the > net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the > default value for that sysctl). > > Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to > 0). > > (Note that either workaround should be sufficient on its own. It is not > necessary to apply both workarounds.) > > > #2: CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage > (all Linux versions) > > Description: It is possible to send a crafted sequence of SACKs which will > fragment the TCP retransmission queue. On Linux kernels prior to 4.15, an > attacker may be able to further exploit the fragmented queue to cause an > expensive linked-list walk for subsequent SACKs received for that same TCP > connection. > > Fix: Apply the attached patch (“PATCH_net_2_4.patch”) > > Workaround #1: Block connections with a low MSS using one of the attached > filters. (The values in the filters are examples. You can apply a higher or > lower limit, as appropriate for your environment.) Note that these filters > may break legitimate connections which rely on a low MSS. Also, note that > this mitigation is only effective if TCP probing is disabled (that is, the > net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the > default value for that sysctl). > > Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to > 0). > > (Note that either workaround should be sufficient on its own. It is not > necessary to apply both workarounds.) > > > #3: CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack) > > Description: It is possible to send a crafted sequence of SACKs which will > fragment the RACK send map. An attacker may be able to further exploit the > fragmented send map to cause an expensive linked-list walk for subsequent > SACKs received for that same TCP connection. > > Workaround #1: Apply the attached patch (“split_limit.patch”) and set the > net.inet.tcp.rack.split_limit sysctl to a reasonable value to limit the > size of the SACK table. > > Workaround #2: Temporarily disable the RACK TCP stack. > > (Note that either workaround should be sufficient on its own. It is not > necessary to apply both workarounds.) > > > #4: CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all > Linux versions) > > Description: An attacker can force the Linux kernel to segment its > responses into multiple TCP segments, each of which contains only 8 bytes > of data. This drastically increases the bandwidth required to deliver the > same amount of data. Further, it consumes additional resources (CPU and NIC > processing power). This attack requires continued effort from the attacker > and the impacts will end shortly after the attacker stops sending traffic. > > Fix: Two attached patches (“PATCH_net_3_4.patch” and “PATCH_net_4_4.patch”) > add a sysctl which enforces a minimum MSS, set by the > net.ipv4.tcp_min_snd_mss sysctl. This lets an administrator enforce a > minimum MSS appropriate for their applications. > > Workaround: Block connections with a low MSS using one of the attached > filters. (The values in the filters are examples. You can apply a higher or > lower limit, as appropriate for your environment.) Note that these filters > may break legitimate connections which rely on a low MSS. Also, note that > this mitigation is only effective if TCP probing is disabled (that is, the > net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the > default value for that sysctl). > > > Note: Good system and application coding and configuration practices > (limiting write buffers to the necessary level, monitoring connection > memory consumption via SO_MEMINFO, and aggressively closing misbehaving > connections) can help to limit the impact of attacks against these kinds of > vulnerabilities. > > An advisory has been published > at https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > > Acknowledgments: > Originally reported by Jonathan Looney. > We thank Eric Dumazet for providing Linux fixes and support. > We thank Bruce Curtis for providing the Linux filters. > We thank Jonathan Lemon and Alexey Kodanev for helping to improve the Linux > patches. > We gratefully acknowledge the assistance of Tyler Hicks in testing fixes, > refining the information about vulnerable versions, and providing > assistance during the disclosure process. > > Regards, > Netflix Information Security [1]: https://www.openwall.com/lists/oss-security/2019/06/17/5
pmenzel
added a commit
that referenced
this pull request
Jun 18, 2019
This fixes *Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service issues* [1]. > Netflix has identified several TCP networking vulnerabilities in FreeBSD > and Linux kernels. > > The vulnerabilities specifically relate to the minimum segment size (MSS) > and TCP Selective Acknowledgement (SACK) capabilities. The most serious, > dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent > Linux kernels. > > There are patches that address most of these vulnerabilities. If patches > can not be applied, certain mitigations will be effective. We recommend > that affected parties enact one of those described below, based on their > environment. > > #1: CVE-2019-11477: SACK Panic (Linux >= 2.6.29) > > Description: A sequence of SACKs may be crafted such that one can trigger > an integer overflow, leading to a kernel panic. > > Fix: Apply the attached patch (“PATCH_net_1_4.patch”). Additionally, > versions of the Linux kernel up to, and including, 4.14 require a second > patch (“PATCH_net_1a.patch”). > > Workaround #1: Block connections with a low MSS using one of the attached > filters. (The values in the filters are examples. You can apply a higher or > lower limit, as appropriate for your environment.) Note that these filters > may break legitimate connections which rely on a low MSS. Also, note that > this mitigation is only effective if TCP probing is disabled (that is, the > net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the > default value for that sysctl). > > Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to > 0). > > (Note that either workaround should be sufficient on its own. It is not > necessary to apply both workarounds.) > > > #2: CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage > (all Linux versions) > > Description: It is possible to send a crafted sequence of SACKs which will > fragment the TCP retransmission queue. On Linux kernels prior to 4.15, an > attacker may be able to further exploit the fragmented queue to cause an > expensive linked-list walk for subsequent SACKs received for that same TCP > connection. > > Fix: Apply the attached patch (“PATCH_net_2_4.patch”) > > Workaround #1: Block connections with a low MSS using one of the attached > filters. (The values in the filters are examples. You can apply a higher or > lower limit, as appropriate for your environment.) Note that these filters > may break legitimate connections which rely on a low MSS. Also, note that > this mitigation is only effective if TCP probing is disabled (that is, the > net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the > default value for that sysctl). > > Workaround #2: Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to > 0). > > (Note that either workaround should be sufficient on its own. It is not > necessary to apply both workarounds.) > > > #3: CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack) > > Description: It is possible to send a crafted sequence of SACKs which will > fragment the RACK send map. An attacker may be able to further exploit the > fragmented send map to cause an expensive linked-list walk for subsequent > SACKs received for that same TCP connection. > > Workaround #1: Apply the attached patch (“split_limit.patch”) and set the > net.inet.tcp.rack.split_limit sysctl to a reasonable value to limit the > size of the SACK table. > > Workaround #2: Temporarily disable the RACK TCP stack. > > (Note that either workaround should be sufficient on its own. It is not > necessary to apply both workarounds.) > > > #4: CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all > Linux versions) > > Description: An attacker can force the Linux kernel to segment its > responses into multiple TCP segments, each of which contains only 8 bytes > of data. This drastically increases the bandwidth required to deliver the > same amount of data. Further, it consumes additional resources (CPU and NIC > processing power). This attack requires continued effort from the attacker > and the impacts will end shortly after the attacker stops sending traffic. > > Fix: Two attached patches (“PATCH_net_3_4.patch” and “PATCH_net_4_4.patch”) > add a sysctl which enforces a minimum MSS, set by the > net.ipv4.tcp_min_snd_mss sysctl. This lets an administrator enforce a > minimum MSS appropriate for their applications. > > Workaround: Block connections with a low MSS using one of the attached > filters. (The values in the filters are examples. You can apply a higher or > lower limit, as appropriate for your environment.) Note that these filters > may break legitimate connections which rely on a low MSS. Also, note that > this mitigation is only effective if TCP probing is disabled (that is, the > net.ipv4.tcp_mtu_probing sysctl is set to 0, which appears to be the > default value for that sysctl). > > > Note: Good system and application coding and configuration practices > (limiting write buffers to the necessary level, monitoring connection > memory consumption via SO_MEMINFO, and aggressively closing misbehaving > connections) can help to limit the impact of attacks against these kinds of > vulnerabilities. > > An advisory has been published > at https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > > Acknowledgments: > Originally reported by Jonathan Looney. > We thank Eric Dumazet for providing Linux fixes and support. > We thank Bruce Curtis for providing the Linux filters. > We thank Jonathan Lemon and Alexey Kodanev for helping to improve the Linux > patches. > We gratefully acknowledge the assistance of Tyler Hicks in testing fixes, > refining the information about vulnerable versions, and providing > assistance during the disclosure process. > > Regards, > Netflix Information Security The other commits between 4.19.40 and 4.19.52 can be found in the [git repository][2]. [1]: https://www.openwall.com/lists/oss-security/2019/06/17/5 [2]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=linux-4.19.y
pmenzel
added a commit
that referenced
this pull request
Jun 21, 2019
From the [NEWS][1]: > 3.32.0 > - pretty version number > 3.31.91 > - symbolic: folder-download, inode-directory > - symbolic: privacy, dnd, phone device icons > - symbolic: new ui context for things that aren't strictly icons. Might go into gtk > - symbolic: emoji category tweaks > - symbolic: mail-reply, battery status (issue #6) > - symbolic: action icons eg rotation > - symbolic: drive icon tweaks > - fullcolor: more app/mimetype/device/status to legacy > - fullcolor: new style for fullcolor icons - folders, mimetypes and devices > - cursors: fix a symlink mixup (mr #5) > > 3.31.1 > - few symbolic updates > - move a lot of fullcolor icons to legacy context. They will go or be updated > in 2 releases. > - symbolic: lists (issue #16) > - fullcolor: more app, device, mimetypes to legacy > 3.30.0 > - audio-speakers-symbolic rendering glitch (issue #11) > - *starred-symbolic 2px outline as per guidelines (issue #7) > > 3.29.90 > - symbolic fingerprint, smartcard reader devices > - emoji category icons in symbolic form > - render script improvements by Sam Hewitt > - general cleanup and maintenance by Sam > - SIM status icons (symbolic) > - system-log-out-symbolic > - screen sharing status (issue #3) > - thicked strokes for *starred-symbolic (issue #4) > - iput-gaming and application-games consistent (Sam) > - bluetooth rendering fix (Sam) > - application-x-appliance alignment (Sam) > - tab-new, application-x-executable improvements (Sam) > - user-bookmarks metaphor (Sam) > - general grid alignment fixes by Sam > - SVG filesize optimalizations by Sam > > 3.28.0 > 3.27.90 > - camera-switch-symbolic (bug #750285) > - highres sizing issue (bug #785574) > - vpn-noroute > - optional zopfli png optimizer > - audio-volume-* fuzzy (bug #709131) > - audio-volume-overamplified > - new metaphors for settings -- notifications, volume and privacy [1]: https://gitlab.gnome.org/GNOME/adwaita-icon-theme/blob/master/NEWS
Sign in
to join this conversation on GitHub.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.