Commit db570013 authored by Lev Lamberov's avatar Lev Lamberov

[SECURITY] [DSA 4272-1] linux security update

parent b91590e4
<define-tag pagetitle>DSA-4272-1 linux</define-tag>
<define-tag report_date>2018-8-14</define-tag>
<define-tag secrefs>CVE-2018-5391</define-tag>
<define-tag packages>linux</define-tag>
<define-tag isvulnerable>yes</define-tag>
<define-tag fixed>yes</define-tag>
<define-tag fixed-section>no</define-tag>
#use wml::debian::security
<define-tag description>security update</define-tag>
<define-tag moreinfo></p>
<li><a href="">CVE-2018-5391</a>
<p>Juha-Matti Tilli discovered a flaw in the way the Linux kernel
handled reassembly of fragmented IPv4 and IPv6 packets. A remote
attacker can take advantage of this flaw to trigger time and
calculation expensive fragment reassembly algorithms by sending
specially crafted packets, leading to remote denial of service.</p>
<p>This is mitigated by reducing the default limits on memory usage
for incomplete fragmented packets. The same mitigation can be
achieved without the need to reboot, by setting the sysctls:</p>
<p>net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608</p>
<p>The default values may still be increased by local configuration
if necessary.</p></li>
<p>For the stable distribution (stretch), this problem has been fixed in
version 4.9.110-3+deb9u2.</p>
<p>We recommend that you upgrade your linux packages.</p>
<p>For the detailed security status of linux please refer to its
security tracker page at:
<a href="">\</a></p>
# do not modify the following line
#include "$(ENGLISHDIR)/security/2018/"
# $Id: $
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment