Announcement

Collapse
No announcement yet.

Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

Collapse
X
Collapse
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #1

    Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

    Phoronix: Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

    As Netflix's first security bulletin for 2019, they warned of TCP-based remote denial of service vulnerabilities affecting both Linux and FreeBSD. These vulnerabilities are rated "critical" but already being corrected within the latest Git code...

    http://www.phoronix.com/scan.php?pag...BSD-Linux-Bugs
    Tags: None
  • #2
    this news is a bit latish, ..! ;-) https://www.youtube.com/watch?v=8akg0mPyflw
    • 1 like

    Comment

    • #3
      A few minutes after the announcement my PC was already running 5.1.11. Too bad it's gonna take quite some time before OpenWRT updates their images. They haven't even applied the patches yet

      As a workaround you can run

      Code:
      sysctl net.ipv4.tcp_sack=0
      Last edited by birdie; 06-18-2019, 08:00 AM.
      • 5 likes

      Comment

      • #4
        So they're being fixed in Linux. What about FreeBSD? Shouldn't Netflix fix it in the first place?
        • 2 likes

        Comment

        • #5
          Originally posted by Volta View Post
          So they're being fixed in Linux. What about FreeBSD? Shouldn't Netflix fix it in the first place?
          Default FreeBSD is not even affected.
          • 5 likes

          Comment

          • #6
            https://github.com/Netflix/security-...it_limit.patch
            Netflix's provided patch for FreeBSD (12)
            • 4 likes

            Comment

            • #7
              Originally posted by birdie View Post
              A few minutes after the announcement my PC was already running 5.1.11. Too bad it's gonna take quite some time before OpenWRT updates their images. They haven't even applied the patches yet

              As a workaround you can run

              Code:
              sysctl net.ipv4.tcp_sack=0
              My understanding is this can slow down TCP connections - you are better off using the iptables rule

              Code:
              iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
              Suse's advisory suggests this -> https://www.suse.com/support/kb/doc/?id=7023928
              • 9 likes

              Comment

              • #8
                Linux Os has to improve in security and efficiency.

                Comment

                • #9
                  Originally posted by Azrael5 View Post
                  Linux Os has to improve in security and efficiency.
                  Really? for something that's free and mostly based on volunteer work, I find everything to be really amazing! The proposed fix had to be tested and reviewed.
                  • 7 likes

                  Comment

                  • #10
                    Originally posted by yossarianuk View Post


                    Code:
                    iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
                    It is much preferred to use "iptables -I INPUT" instead of "iptables -A INPUT". Depending on rules in your chain, -A could possibly cause much cpu load if the rule is heavily processed.

                    At HN it is suggested to use "-t raw -I PREROUTING", which could be of benefit especially with heavy traffic.
                    • 4 likes

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X