On 6/21/19 8:25 AM, David C. Rankin wrote: > After 5.12.1 is there any further mitigation needed for: > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477 > > related: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479 > > Suggested work-around: > > echo 0 > /proc/sys/net/ipv4/tcp_sack > > or > > iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP > > Are either needed after latest kernel, or is this resolved? > I guess you mean 5.1.12 as long as you are not a visitor from the future. 5.1.11 was the upstream fix version for the SACK issues, you can use our Arch Linux specific security tracker to get this information: https://security.archlinux.org/CVE-2019-11477 https://security.archlinux.org/CVE-2019-11478 https://security.archlinux.org/CVE-2019-11479 which lists all affected and fixed variants/versions. there have been advisories published on the tracker and via our sec announcements ML. So as long as you are running latest kernels, no other mitigation is needed. cheers, Levente
Attachment:
signature.asc
Description: OpenPGP digital signature
