🚨 ⚠️ ⚠️ ⚠️
Urgent Linux advisory
⚠️ ⚠️ ⚠️ 🚨
Urgently run the following:
echo 0 | sudo tee /proc/sys/net/ipv4/tcp_sack
On all Linux hosts to work around the issue and then start patching your kernels
@ivesen I have no reason to believe 5.x is safe, and you should update now
@ivesen update: 5.1.11 is safe, any earlier and it's not
@sir well that was fast
already in my distro update
@irl it's not an urgent problem for those devices. This affects Linux servers
@sir just as not to run what I don't entirely understand: what will this change on my system/will it break my production?
@ignaloidas this will disable TCP SACK, an optional feature without which lossy connections may suffer reduced throughput
Without disabling this, your server can be remotely kernel paniced
@sir Thanks for the explanation, gonna patch it fast.
@sir i just updated to 5.1.11, should i still do this?
@adalbertsen1 you good
@sir thanks! 😄
I went the sysctl way to make it permanent.
net.ipv4.tcp_sack = 0
@gemlog imo turn it off in the booted kernel and then patch it, the next reboot should boot into a patched kernel instead of setting yourself up to forget a sysctl change
Putting it in the conf file means it will automagically be applied on a reboot (should that ever happen!).
Besides, I'm moving out of this box soon into a new one.
@gemlog I know how sysctl works :P I still disagree with your mitigation approach
@sir info on SO_MEMINFO seems rare
@sir Looks like Canonical got on this one quickly: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html
Just making sure:
With ubuntu on kernel version 4.15.0-52-generic im safe, right?
Or do I still need to disable tcp_sack?
@bn4t Ubuntu is patched, if you're up-to-date you're good.
cmpwn.com is a private Mastodon instance for friends of SirCmpwn.