Announcement

Collapse
No announcement yet.

Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

    Phoronix: Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

    As Netflix's first security bulletin for 2019, they warned of TCP-based remote denial of service vulnerabilities affecting both Linux and FreeBSD. These vulnerabilities are rated "critical" but already being corrected within the latest Git code...

    http://www.phoronix.com/scan.php?pag...BSD-Linux-Bugs

  • #2
    this news is a bit latish, ..! ;-) https://www.youtube.com/watch?v=8akg0mPyflw

    Comment


    • #3
      A few minutes after the announcement my PC was already running 5.1.11. Too bad it's gonna take quite some time before OpenWRT updates their images. They haven't even applied the patches yet

      As a workaround you can run

      Code:
      sysctl net.ipv4.tcp_sack=0
      Last edited by birdie; 06-18-2019, 08:00 AM.

      Comment


      • #4
        So they're being fixed in Linux. What about FreeBSD? Shouldn't Netflix fix it in the first place?

        Comment


        • #5
          Originally posted by Volta View Post
          So they're being fixed in Linux. What about FreeBSD? Shouldn't Netflix fix it in the first place?
          Default FreeBSD is not even affected.

          Comment


          • #6
            https://github.com/Netflix/security-...it_limit.patch
            Netflix's provided patch for FreeBSD (12)

            Comment


            • #7
              Originally posted by birdie View Post
              A few minutes after the announcement my PC was already running 5.1.11. Too bad it's gonna take quite some time before OpenWRT updates their images. They haven't even applied the patches yet

              As a workaround you can run

              Code:
              sysctl net.ipv4.tcp_sack=0
              My understanding is this can slow down TCP connections - you are better off using the iptables rule

              Code:
              iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
              Suse's advisory suggests this -> https://www.suse.com/support/kb/doc/?id=7023928

              Comment


              • #8
                Linux Os has to improve in security and efficiency.

                Comment


                • #9
                  Originally posted by Azrael5 View Post
                  Linux Os has to improve in security and efficiency.
                  Really? for something that's free and mostly based on volunteer work, I find everything to be really amazing! The proposed fix had to be tested and reviewed.

                  Comment


                  • #10
                    Originally posted by yossarianuk View Post


                    Code:
                    iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
                    It is much preferred to use "iptables -I INPUT" instead of "iptables -A INPUT". Depending on rules in your chain, -A could possibly cause much cpu load if the rule is heavily processed.

                    At HN it is suggested to use "-t raw -I PREROUTING", which could be of benefit especially with heavy traffic.

                    Comment

                    Working...
                    X