🚨 ⚠️ ⚠️ ⚠️
Urgent Linux advisory
⚠️ ⚠️ ⚠️ 🚨

Urgently run the following:

echo 0 | sudo tee /proc/sys/net/ipv4/tcp_sack

On all Linux hosts to work around the issue and then start patching your kernels

· Web · 12 · 55 · 31
@sir aren't 5.x kernels fine ?

or do I need to update tomorrow

@ivesen I have no reason to believe 5.x is safe, and you should update now

@ivesen update: 5.1.11 is safe, any earlier and it's not

@sir how do I do this on my smart tv and android devices?

@irl it's not an urgent problem for those devices. This affects Linux servers

@sir my smart tv is a Linux server. It has two web servers listening, one I haven’t figured out what it does yet.

This was more just an observation that when stuff like this happens there’s nothing that can be done on whole classes of device.

@sir just as not to run what I don't entirely understand: what will this change on my system/will it break my production?

@ignaloidas this will disable TCP SACK, an optional feature without which lossy connections may suffer reduced throughput

Without disabling this, your server can be remotely kernel paniced


I went the sysctl way to make it permanent.

edit /etc/sysctl.conf
net.ipv4.tcp_sack = 0
reload it:
sysctl -p

@gemlog imo turn it off in the booted kernel and then patch it, the next reboot should boot into a patched kernel instead of setting yourself up to forget a sysctl change

Putting it in the conf file means it will automagically be applied on a reboot (should that ever happen!).
Besides, I'm moving out of this box soon into a new one.

@gemlog I know how sysctl works :P I still disagree with your mitigation approach

@sir sir, thank you much! Here is the line for a a .conf in /etc/tmpfiles.d with systemd systems:

tfw one of your production servers has a kernel too old to be affected
Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!